Token lost after refreshing spa

Hi, I am new using auth0

Two days ago, I started playing with the spa provided in the quick guide.

I added some connections, created new components that I could pass data to, and modified the api to be able to manipulate the data provided by the token.

The problem is that now I’m trying to implement it in my own project. I set up the authprovider, all the necessary configuration and stuff.

I created a new connection with google using my keys and id.

I use both projects, mine and the one given as example using the same configuration, both added to the dashboard.

Mine loses the token on refresh, but the other one works fine and only asks for a new login after 24h.

The connection works fine on both, returns the token and can be used without problems as long as it is not refreshed.

I can’t find what I’m doing wrong or where is the bug. If both have the same configuration, they should work the same and one should not lose the session and the other not.

Hi @Jopax,

Welcome to the Auth0 Community!

I understand that you’re seeing different session behavior from two apps that sound fairly similar. The first thing I’d check is if you’re using the same scopes in both, more specifically are you using the offline_access scope in both?

I hope this helps!

Thanks,
Matt

1 Like

Hi @matt.g ,

In the end the problem was that I did not have the callback configured correctly.

Now the problem is that following the documentation, with this code should validate the token:

const validateAccessToken = auth({
issuerBaseURL: https://${process.env.AUTH0_DOMAIN},
audience: process.env.AUTH0_AUDIENCE
})

It should work in the backend, but I get the following error in the library express-oauth2-jwt-bearer

AssertionError [ERR_ASSERTION]: You must provide a ‘tokenSigningAlg’ for validating symmetric algorithms at jwtVerifier

Any idea why this is happening? I have tried to put the keys that appear in the profile but I get a different error.

In the api test that is in github at first it worked, but after installing mongoose and doing an npm install, I also get that error, so I can not do anything in my code, nor with the example code.

Hi @Jopax,

I’m glad to hear you were able to resolve the initial issue!

In terms of token validation, looking at the code you shared I think you might just need to add algorithms: ["RS256"] (or whatever algorithm you’re using) to the object after audience: process.env.AUTH0_AUDIENCE.

Let me know if it still doesn’t work after making that change!

Thanks,
Matt

Thanks @matt.g, I had already tried it yesterday and it gave me a new error:

I updated the code like this:

const validateAccessToken = auth({
issuerBaseURL: https://${process.env.AUTH0_DOMAIN},
audience: process.env.AUTH0_AUDIENCE,
tokenSigningAlg: HS256.
})

And I got this new error

InvalidTokenError: KeyObject or CryptoKey instances for asymmetric algorithms must not be of type “secret”.

I searched for info but found nothing, so I also tried with the keys I might have in the dashboard config, although in theory they would not be needed since I use the new login and should already share the public keys, but there was no way to fix that bug.

Hi @Jopax,

Thanks for the quick response! Would you mind DM’ing me your tenant name so I can look at your configuration from our end?

Thanks,
Matt

Hey Jopax,

I am also working with Auth0 with refresh tokens. What was the solution that you found?

Thanks,
Cameron