User Logged In Automatically With Expired Tokens


We are using the @auth0/auth0-spa-js": “1.13.6” package for our application with React.

We are also using Universal Login.

Using the Auth0 dashboard we have set the following settings:

With the above configuration we can see successful Token Refreshes happening.

The problem we have is that when the user closes their browser for long enough so that the Refresh Token expires, opens a new browser instance and navigates to our application, they get logged in automatically.

We have the useRefreshTokens: true property set for the Auth0 client and to check if the user is logged in when loading the app we use the getTokenSilently(options); function with the ignoreCache: true option set. The getTokenSilently function correctly throws a “Login Required” error when the token has expired as expected. But when we call loginWithRedirect the user somehow gets logged in automatically, even though tokens have expired.

We also tried the latest 1.15 version of the package with the same result.

Please assist.