Two tabs open, signing in 2nd time with different email, but gets signed into wrong user. (@auth0/auth0-spa-js)

Hello. I’m not exactly sure what I am doing wrong, and it seems to be a corner case, but we actually had some real users encountering this problem so I need to address it.

I can reproduce the issue by having two browser tabs open. In the first tab I login with redirect

this.state.auth0Client.loginWithRedirect({
        mode: 'login',
        login_hint: email // 'email1@login.com'
});

I get redirected to the aut0 hosted login page, the correct email is prefilled in the email field, and I can also see in the request URL that the same email is present there as the hint.

I login and receive id token, which also contains the right email (email1@login.com), and I see some cookies are created…

I then use this idToken to authorize on our end against our own auth service.

Now I go to the next tab and login again, but with a different email:

this.state.auth0Client.loginWithRedirect({
        mode: 'login',
        login_hint: email // 'email2@login.com'
});

This time, I can see again the the request url to the hosted login page, that the new email (email2@login.com) is passed as the login_hint param again. But instead of being able to signin to this account, the login page is skipped, and I receive idToken from last logged in user.

I assume, that this is beacuse the hosted login page recognizes the cookies from earlier, and logs me in based on that. This is neat, if its actually the same user, and they can skip the whole password thing. But it becomes a problem in our case, when a new email, is treated as same user (from cookies - or how else this request is identified)

I guess the login_hint is not enough to tell the hosted login page that this is in fact a new unique login attempt? I would still want to user to be able to skip the password is the email is the same as the already authorized user, but when entering a new email, I would like to perform a new unique sign in of the new user.

I hope this makes sense, and that someone here can tell me what I am doing wrong.

Best Regards, Rasmus

Hi @rasmus1,

You should be able to avoid this by adding prompt=login to the authentication request:

this.state.auth0Client.loginWithRedirect({
      mode: 'login',
      login_hint: email // 'email2@login.com',
      prompt: 'login'
});

This setting indicates whether you want to always show the authentication page or you want to skip if there’s an existing session.

Hi @stephanie.chamblee Thanks for your response. This is indeed helpful, but preferably, I would like to only prompt users with the login screen, if they provide a different email than what the authenticated session holds. But maybe I am asking too much? :slight_smile:

I tried searching for the API documentation for loginWithRedicret, but I couldn’t find it anymore. Do you have a link to this resource?

I see! That makes sense. I’m not sure if there is a built-in way to prompt login only when a different login_hint is provided.

Here is the API documentation for loginWithRedirect: https://auth0.github.io/auth0-react/interfaces/auth0_context.auth0contextinterface.html#loginwithredirect

And here are all of the options available to loginWithRedirect: https://auth0.github.io/auth0-react/interfaces/auth0_context.redirectloginoptions.html

1 Like

Thanks a lot Stephanie!

1 Like

You’re very welcome! Please let us know if you have any additional questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.