Silent Auth errors with Login Required after updating app_metadata via Management API

spatail · July 8, 2021, 7:13pm

Hello,

I am trying to understand why calling getAccessTokenSilently redirects me back to the login page after I update my user’s app_metadata via the Management API.

Here’s my setup:

I have two applications: 1) an SPA, and 2) a M2M
The SPA shows the Auth0 login screen and upon successful signup/login redirects back to my application
After redirecting, the user is requested to enter an invite code (from their email) to link the Auth0 user to my backend domain model
The SPA invokes my backend with the invite code. The backend uses the M2M client credentials to call the Management API to enhance the logged-in user’s app_metadata with a linking id
I also have a Rule defined which upon login/silent-auth will append the app_metadata as a custom claim in the new access token
After the backend call completes, the SPA requests a new access token via silent-auth. This is so that all subsequent backend calls will be made with a new token that contains the custom claim.

The issue I am facing is that when requesting a new token via silent-auth (after the backend call), the SPA gets a “login required” error and gets redirected back to the Auth0 login page.

Now what’s odd is that if I update the user’s app_metadata directly in Auth0 and then have the SPA request a new access token, it’s all hunky dory. But if I update the same user via the Management API, a request for a new token fails and requires a re-login.

Is there a difference in the way Auth0 handles updating a user directly from the Auth0 UI vs the Management API? Why does silent-auth work just fine in the former case, but does not work in the latter case?

I feel like I am missing something fundamental. Any help here would be much appreciated.

Thanks!

spatail · July 8, 2021, 7:53pm

If it helps, here’s a sequence diagram of my registration flow:

spatail · July 13, 2021, 9:27pm

Any suggestions here? The difference in behavior of silent-auth (when updating app_metadata via the Management API vs updating via the UI) is quite puzzling.

The UX of of having to re-login is what I am trying to avoid.

Thanks!

marcus.baker · July 23, 2021, 6:41pm

Hi,

Is your backend updating the email or email_verified attributes when it patches the user?
Patching Email or Email_verified via the management API will invalidate the Auth0 session.

Example:

This post body will invalidate the session:

{
  "email_verified": true,
  "app_metadata": {
          "TestData": "TestValue"
        }
}

This one works without invalidating the session:

{
  "app_metadata": {
          "TestData": "TestValue"
        }
}

spatail · July 23, 2021, 6:55pm

Yes, my backend was setting email_verified: true. After removing it, my frontend is able to refresh the token silently without getting the login required error.

Thanks Marcus!

Would you mind explaining why toggling email_verified invalidates the session? Is this shared in the docs anywhere?

system · August 7, 2021, 6:56pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auth Error after updating app_metadata via Management API and injecting metadata to IdToken Help auth0	6	2663	January 11, 2022
My SPA application getAccessTokenSilently calls brings me to login page Help api , login , get-token-silently	3	1627	November 8, 2022
Getting 'Login Required' when attempting silent auth after successful authentication with magic link Help sessions , authentication-sessions	0	1346	November 22, 2022
Yet another "Failed Silent Auth" problem Help management-api , users	0	483	November 16, 2023
Silent Authentication Help silent-authenticatio	0	3726	June 10, 2019

Silent Auth errors with Login Required after updating app_metadata via Management API

Related Topics