Some users getting "Last time you logged in with" popup, despite prompt=none

I have a ticket open on this but thought the community might be able to help more quickly if this is something obvious that I am missing.

We have a small collection of users in our one of our Auth0 hosted databases who are consistently getting the “Last time you were logged in with…” pop-up message, despite our using prompt=none in our configs. The vast majority of our users never see this message, as expected. There are no clear differences between the small number of users that is seeing the message vs the majority that are not. Those that are seeing the message also do not have anything obvious in common with each other. As well, when these users try to click through the pop-up, they just end being redirected back to the login page. Use cases as reported by our support teams:

When the customer opens a new AUTH 0 login page, they have 2 options:

  1. click on their email address which says: The last time you logged in with…" - this option returns the user back to the login page with no error message.
  2. click on “Not Your Account?” and enter login information. This option returns the user to the login page with “Last time you logged in with…”

Our prod tenant does not yet have “Seamless SSO” enabled.

Hi @markd. The promise of prompt=none is that there will be no user interaction: the server can either return the requested response or an error, but the login page (with the “last time you logged in with…” button) should never appear.

You say “despite our using prompt=none in our configs”. Can you clarify exactly what that means in terms of interaction with the service?

Ideally, a .HAR file would go a long way in understanding what’s going on.

Hi @nicolas_sabena,

Thanks for the response. I’ll need to get one of my devs to chime in on the details re: where prompt=none is used, but here is an example from a recent app. I believe all such examples in our code are “pre-Seamless SSO” so the real answer here may simply be to turn Seamless on in prod and remove all prompt=none references.

def get_authorize_link(request, redir_uri):
    """ Returns an auth0 authorize url """
    params = {
        'client_id': settings.AUTH0_CLIENT_ID,
        'audience': settings.CUSTOMER_API_AUDIENCE,
        'response_type': 'code',
        'scope': 'openid',
        'state': _get_nonce(request, redir_uri),
        'prompt': 'none',
        'redirect_uri': settings.BASE_URL + redir_uri,
    }

    auth_url = 'https://' + settings.AUTH0_DOMAIN + '/authorize?' + urllib.parse.urlencode(params)

    return auth_url

I am still waiting on the business to line up a user to work with to get the HAR.

The code looks good, but I’d be curious to look at the .HAR file. Technically, as I said above, prompt=none should always return a result to the application (a 302 redirect or a 200 if a response_mode=form_post was requested), but never an interactive login page.

As for checkSession vs Seamless SSO, it’s hard to say without having the full context, but in general in an SPA you would enable seamless SSO, use a regular (interactive) /authorize request as the initial login (when the user doesn’t have a session yet in the application), and then checkSession would be used to renew access tokens without user interaction.

In a regular web app (which I guess it’s your case based on the code above), you would simply turn on seamless SSO and issue a regular /authorize request. Auth0 will show the login UI if strictly necessary, or return directly to the app if there’s sufficient session to avoid prompting the user.

1 Like

Thanks @nicolas_sabena. I’ll let you know if I get the HAR file. Might take a while … business finding and coordinating an appropriate user, holiday season, etc.