Unexpected (and unwanted) exchange during isLoading (from useAuth0)

I’m seeing an unexpected and unwanted exchange with the Auth0 server during the startup of my React SPA configured with useAuth0. This exchange is happening while the App waits for isLoading to become false.

I have several instances of User (created for use during development). I made sure that all of them were logged out, and confirmed this by examining the “Logs” from the dashboard prior to starting my application.

The following screenshot shows the Auth0 log (from my Tenant dashboard) prior to launching my application. Note that the most recent entry is a “Success Logout”, as expected.

I set a breakpoint in the app (I use VisualStudio code) just after isLoading becomes false.

I then launched the app and waited for it to stop at the breakpoint. The following screenshot shows the same “Log” page (from the Tenant dashboard). This second screenshot is taken while the application is paused just after isLoading became false. None of my other application code has run, and so I know of no way that my code could invoke a “Silent Authentication”:

The log shows two new entries:

  1. “Successful Silent Auth”
  2. “Success Exchange”

The raw JSON (from the Log page) of the first is (slightly sanitized):

{
  "date": "2022-12-15T17:11:23.251Z",
  "type": "ssa",
  "client_id": "<elided>",
  "client_name": "DataBrowser dev",
  "ip": "<elided>",
  "user_agent": "Chrome 108.0.0 / Windows 10.0.0",
  "details": {
    "prompts": [],
    "completedAt": 1671124283249,
    "elapsedTime": null,
    "session_id": "BPORiCsFf5ODBpxcPY9dT1732uz5VKxp"
  },
  "hostname": "0-0-zeetix.us.auth0.com",
  "session_connection": "Username-Password-Authentication",
  "user_id": "auth0|6352e274ec33101e32eacea1",
  "user_name": "joe.christmas.zeetix@gmail.com",
  "auth0_client": {
    "name": "auth0-react",
    "version": "1.11.0"
  },
  "log_id": "90020221215171124348353061685550517034170893575760379970",
  "_id": "90020221215171124348353061685550517034170893575760379970",
  "isMobile": false,
  "id": "90020221215171124348353061685550517034170893575760379970",
  "description": "Successful silent authentication"
}

The raw JSON for the second is (slightly sanitized):

{
  "date": "2022-12-15T17:11:24.102Z",
  "type": "seacft",
  "description": "Authorization Code for Access Token",
  "connection_id": "",
  "client_id": "<elided>",
  "client_name": "DataBrowser dev",
  "ip": "73.16.152.225",
  "user_agent": "Chrome 108.0.0 / Windows 10.0.0",
  "details": {
    "code": "******************************************Gzm"
  },
  "hostname": "0-0-zeetix.us.auth0.com",
  "user_id": "auth0|6352e274ec33101e32eacea1",
  "user_name": "joe.christmas.zeetix@gmail.com",
  "auth0_client": {
    "name": "auth0-react",
    "version": "1.11.0"
  },
  "log_id": "90020221215171127885276781579849591922107583610465812530",
  "_id": "90020221215171127885276781579849591922107583610465812530",
  "isMobile": false,
  "id": "90020221215171127885276781579849591922107583610465812530"
}

The effect of this unexpected and unwanted exchange is that by the time my application finishes launching, isAuthenticated has a value of true and user contains the values of one of my test users (“Joe Christmas”, with apologies to William Faulkner).

This is incorrect – Joe Christmas was logged out (“Joe Christmas” was the subject of the “Successful Logout” in the first screenshot), and should not be logged in again – at least not without clicking my “Signin” button.

This incorrect value confuses my backend server, because that backend server has preserved the state for that test user and correctly records that the test user is logged out.

When my users are all logged out, I expect the value of isAuthenticated to be false and I expect the value of user to be either null or undefined. I do not expect the state change of isLoading from true to false to initiate a “Silent Authentication”. I see nothing in my code (ProviderWithHistory.js is the only code that has been executed) that provides an Auth0 userID or email.

Is there some configuration step that I’m missing that is causing this unexpected and unwanted behavior? Is this a bug in useAuth0? Is there a workaround?

I appreciate the attention and guidance of this community.