WebAuthn Challenge Failure after Silent Auth

Help
,
1

Hey everyone,

We recently received an alert on Sentry about a user who failed to log in with the error message: “Login required.” When reviewing the Auth0 monitoring logs, we noticed two entries logged in quick succession:

  1. Failed Silent Auth
  2. WebAuthn Challenge Failure

The user was already authenticated into the system prior to this error, and according to our session recorder tool, the user didn’t appear to be impacted or logged out.

Below are the relevant JSON logs for these events:

Failed Silent Auth

{
  "date": "2024-11-06T07:07:09.913Z",
  "type": "fsa",
  "description": "Login required",
  "client_id": "[REDACTED]",
  "client_name": "Example Webapp",
  "ip": "[REDACTED]",
  "user_agent": "Edge 130.0.0 / Windows 10.0.0",
  "details": {
    "qs": {
      "client_id": "[REDACTED]",
      "scope": "openid profile email",
      "redirect_uri": "https://app.example.com",
      "audience": "bff-api",
      "prompt": "none",
      "organization": "[REDACTED]",
      "response_type": "code",
      "response_mode": "web_message",
      "state": "[REDACTED]",
      "nonce": "[REDACTED]",
      "code_challenge": "[REDACTED]",
      "code_challenge_method": "S256",
      "auth0Client": "[REDACTED]"
    },
    "error": {
      "message": "Login required",
      "oauthError": "login_required",
      "type": "oauth-authorization"
    }
  },
  "audience": "bff-api",
  "scope": ["openid", "profile", "email"],
  "auth0_client": {
    "name": "auth0-react",
    "version": "2.2.4"
  },
  "log_id": "[REDACTED]",
  "tenant_name": "example-security"
}

WebAuthn Challenge Failure

{
  "date": "2024-11-06T07:07:47.040Z",
  "type": "gd_webauthn_challenge_failed",
  "description": "WebAuthn browser error",
  "ip": "[REDACTED]",
  "user_agent": "Edge 130.0.0 / Windows 10.0.0",
  "details": {
    "authenticator": {
      "id": "[REDACTED]",
      "type": "webauthn-platform"
    },
    "session_id": "[REDACTED]"
  },
  "user_name": "[REDACTED]",
  "log_id": "[REDACTED]",
  "tenant_name": "example-security"
}
3

Hi @yoni.n!

Welcome to the Auth0 Community!

The login_required error means the user was not logged in at Auth0, so silent authentication is impossible. This error can occur based on the way the tenant-level Log In Session Management settings are configured; specifically, it can occur after the time period set in the Require log in after setting.

When the login_required error is returned, the user must be redirected to the Auth0 login page without the prompt=none parameter to authenticate. See: Configure Silent Authentication

Can you provide your Log In Session Management settings? See: Configure Session Lifetime Settings

The gd_webauthn_challenge_failed errors are emitted when the browser fails to perform the requested Webauthn action (get or create credentials).

Ultimately, it looks like silent authentication was attempted. The user was not logged in/did not have a valid session and was not redirected back to the login page, which resulted in the login_required error. Then, since the browser could not perform the requested action, which would likely take place on the login page, the gd_webauthn_challenge_failed error was emitted.

I’d be happy to examine the specific user and their session internally further if you could send me your tenant name, the user_id, and the logIDs in a private message.

I look forward to your reply!

Best,

Mary Beth

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.