isAuthenticated returning false after successful login

[alicemao23]

Hi,

Its my first time using the auth0-react SDK. I've implemented the login flow using guide, and have configured my app on Auth0 with Social Connection to LinkedIn. First login, the user is redirected to the UniversalLogin when they can login through LinkedIn, but as the user is redirected back to the application, the isAuthenticated value still remains false, and I see the POST require to oauth/token returning 401 unauthorized. On the Auth0 dashboard it also showed a successful login attempt with the user account.

I've provided the Auth0Provider with the appropriate props & values filled in of course,

    <Auth0Provider
            domain=""
            clientId=""
            redirectUri={window.location.origin}
            audience=""
            onRedirectCallback={onRedirectCallback}>

Am I missing anything?

The request header for the failing oauth/token request includes grant-type: authorization-code, with the code values from successful login request. On the Auth0 documentation, it seems that client-side applications should only be using grant-type: implicit. Could this be the issue? Is there any way to specific the request sent by the SDK to oauth/token as grant-type=implicit? Any help in how to fix this issue is greatly appreciated 🙏🏼

[adamjmcgrath]

Hi @alicemao23 - thanks for raising your issue

This library uses the Authorization Code Flow with PKCE (https://auth0.com/docs/flows/concepts/auth-code-pkce) so grant_type: "authorization_code" is expected.

I see the POST require to oauth/token returning 401 unauthorized

You should get an error and error_description properties back in the body of the response which you can check. Also, you should also get a "Failed exchange" in your Auth0 tenant logs with some more information https://manage.auth0.com/#/logs

From what I can see your config looks fine. If you have a running version of an app, or can share the code, I might be able to help you debug the issue.

[alicemao23]

Hi @adamjmcgrath!

Thanks for getting back. So the error is access_denied & error description is unauthorized. The behaviour that I have been consistently able to replicate is

1. On initial login, loginWithRedirect() will direct screen to log in, the flow goes through, on successful login, the user is redirected back to the app as expected. But Network call to "/oauth/token" returns 401 unauthorized with the error message and description above. isAuthorized from useAuth0 returns false.

2. Then user tries to use loginWithRedirect() again, the user is not taken to the login widget, page refreshes, I assume from the redirect, and then the network call to /oauth/token is also made and returns the same error response in the body.

3. I would have to manually call logout if I want to be able to use the login flow again from 1.

I don't have a running version of the app right now, just started up and is trying to work out the authentication part. I could definitely share the code, I just don't know of a way of me sharing it safely without needing to share sensitive data like my client id. Do you have any suggestions?

Thank you!

[adamjmcgrath]

Hi @alicemao23

clientId, domain and audience are not considered confidential, if you were to share a running app I would be able to see them just like I would if you were to share the app's sourcecode - that's because a SPA is a public client and there is no way to hide them.

So the error is access_denied & error description is unauthorized.

I'm not sure what your issue might be, do you have any rules configured on your tenant perhaps? Do the other values you are sending in the /oauth/token request look sensible? Are you sending the request more than once?

If you feel able to share your code, or a sample app where I can reproduce the issue, I might be able to help. But from the information you've given me I wont be able to figure much out

[adamjmcgrath]

You could also try running the basic sample app in this repo: https://github.com/auth0/auth0-react/blob/master/CONTRIBUTING.md#local-development replacing our clientId and domain for yours and seeing if that works

[puengel]

Hi @adamjmcgrath ,

You could also try running the basic sample app in this repo: https://github.com/auth0/auth0-react/blob/master/CONTRIBUTING.md#local-development replacing our clientId and domain for yours and seeing if that works

I tried that. My management logs show Success Login and Success Exchange. Though in the webapp I'm not logged in. Error message there is Error: Invalid state

Full Error stack:

Inline Babel script:24 Error: Invalid state
    at e.<anonymous> (auth0-spa-js.production.esm.js:15)
    at auth0-spa-js.production.esm.js:15
    at Object.next (auth0-spa-js.production.esm.js:15)
    at auth0-spa-js.production.esm.js:15
    at new Promise (<anonymous>)
    at o (auth0-spa-js.production.esm.js:15)
    at e.handleRedirectCallback (auth0-spa-js.production.esm.js:15)
    at auth0-provider.tsx:196
    at step (auth0-react.js:95)
    at Object.next (auth0-react.js:76)
App @ Inline Babel script:24
renderWithHooks @ react-dom.development.js:14938
updateFunctionComponent @ react-dom.development.js:17169
beginWork @ react-dom.development.js:18745
beginWork$1 @ react-dom.development.js:23314
performUnitOfWork @ react-dom.development.js:22289
workLoopSync @ react-dom.development.js:22265
performSyncWorkOnRoot @ react-dom.development.js:21891
(anonymous) @ react-dom.development.js:11224
unstable_runWithPriority @ react.development.js:2685
runWithPriority$1 @ react-dom.development.js:11174
flushSyncCallbackQueueImpl @ react-dom.development.js:11219
flushSyncCallbackQueue @ react-dom.development.js:11207
scheduleUpdateOnFiber @ react-dom.development.js:21334
dispatchAction @ react-dom.development.js:15795
(anonymous) @ auth0-provider.tsx:203
step @ auth0-react.js:95
(anonymous) @ auth0-react.js:76
rejected @ auth0-react.js:67
Promise.then (async)
step @ auth0-react.js:68
(anonymous) @ auth0-react.js:69
__awaiter @ auth0-react.js:65
(anonymous) @ auth0-provider.tsx:192
(anonymous) @ auth0-provider.tsx:205
commitHookEffectListMount @ react-dom.development.js:19866
commitPassiveHookEffects @ react-dom.development.js:19904
callCallback @ react-dom.development.js:182
invokeGuardedCallbackDev @ react-dom.development.js:231
invokeGuardedCallback @ react-dom.development.js:286
flushPassiveEffectsImpl @ react-dom.development.js:22988
unstable_runWithPriority @ react.development.js:2685
runWithPriority$1 @ react-dom.development.js:11174
flushPassiveEffects @ react-dom.development.js:22955
(anonymous) @ react-dom.development.js:22834
workLoop @ react.development.js:2629
flushWork @ react.development.js:2584
performWorkUntilDeadline @ react.development.js:2196

[adamjmcgrath]

Hi @puengel - thanks for your input

Could you raise a separate issue and share all the information I need to reproduce the error you're seeing?

[puengel]

Issue moved here #51

[adamjmcgrath]

Hi @alicemao23 - let me know if you've had any luck fixing your issue.

Another thing to check would be that you have "Allowed Web Origins" set correctly in your dashboard.

And that your Auth0 Application in your dashboard is set to "Single Page Application"

Let me know if either of those suggestions helps

[mwarnerdotme]

I am also experiencing this same issue. I cloned the sample app (https://github.com/auth0-samples/auth0-react-samples) and added a config file with my Auth0 application's domain, clientId, and audience (the audience may be incorrect - I'm not sure what to put for that because it's not documented anywhere).

When I start my react app and visit localhost:3000, it redirects me to the Auth0 login page as expected and I successfully log in - the logs even show a successful login - but then there is the "Failed Exchange" error message as mentioned above with the 401 to /oauth/token. I also see the "Oops... Unauthorized" message in the sample app.

What is going on? How can I fix this? Is my application configured incorrectly in Auth0?

[ghost]

I'm having this same issue over the last two days. Same behavior as mentioned above: the user is directed to the lock login page, redirected back to the app, user authentication is never returned. I checked Issue #51 , but we have no rules in our app so this would not apply to our situation.

{
  "date": "2020-07-05T03:13:29.663Z",
  "type": "s",
  "connection_id": "",
  "client_id": "7o21rTYAsoK0xKec9UxK2olZppzy7j56",
  "client_name": "", <removed>
  "ip": "65.128.14.22",
  "user_agent": "Chrome 83.0.4103 / Windows 10.0.0",
  "details": {
    "prompts": [],
    "completedAt": 1593918809662,
    "elapsedTime": null,
    "session_id": "X6LOaGTzDP35GD7I9HjGm57iH5wqhLtz"
  },
  "hostname": "", <removed>
  "user_id": "auth0|5efce1eda15b7b001361c588",
  "user_name": "", <removed>
  "auth0_client": {
    "name": "auth0-react",
    "version": "1.0.0"
  },
  "log_id": "90020200705031335800043426049758653529361151510378971138",
  "_id": "90020200705031335800043426049758653529361151510378971138",
  "isMobile": false,
  "description": "Successful login"
}

  "prompts": [],
  "completedAt": 1593918809662,
  "elapsedTime": null,
  "session_id": "X6LOaGTzDP35GD7I9HjGm57iH5wqhLtz"
}

This has been a very disappointing way of spending the holiday weekend. :(

[mwarnerdotme]

@avala-HFI we hired a consultant familiar with Auth0 to fix our application in the Auth0 dashboard - he hasn't gotten to me with the changes that he made to get it working, but as soon as I know I will post it here and submit a request to Auth0 to update their documentation for this SDK since their steps do not work OOB

[adamjmcgrath]

Hi @avala-HFI

Could you check if you have "Allowed Web Origins" set to the origin of your webapp (eg http://localhost:3000)?
And that your Auth0 Application in your dashboard is set to "Single Page Application":

Let me know if either of those suggestions helps

as soon as I know I will post it here and submit a request to Auth0 to update their documentation for this SDK

Thanks @mwarnerdotme! please let us know if there's anything we can do to improve our docs

[ghost]

@mwarnerdotme you are my personal hero! I'm looking forward to hearing what your consultant finds!

@adamjmcgrath, I have two applications that are both set to Single Page Application and the Allowed Web Origins are set to http://localhost:3000.

[adamjmcgrath]

Thanks for confirming @avala-HFI

Can you share a link to one of these running apps or the code so I can run one myself and debug the issue?

[ghost]

@adamjmcgrath I'll have something out later this afternoon.

[ghost]

@adamjmcgrath I've created a fairly basic React-Express-Node app using the same Auth0 quickstart guide and Auth0 application settings as our private projects. In all cases using the Quickstart guide, I'm experiencing the exact same issue where isAuthenticated returning false. You can find the example project here. Please let me know if you need any additional information.

React Developer Tools

Console Error stack

[alicemao23]

@adamjmcgrath Hi everyone, actually I have found a workaround on this issue even though I'm not exactly sure why this was the way it was. I also cannot replicate it, so maybe this will help (fingers crossed). My tenant was configured to be SinglePageApplication with Token End Point Authentication to be None

I actually changed it to be a few other variations of values including "Regular Web Application": POST & "Regular Web Application": None, saved my changes, and tried using the SDK to log in a couple more times.

Obviously the configurations above weren't valid, so I switched back toSingle Page Application: None, and the SDK started returning the expected authentication values for me. You could try re-updating your tenant configuration, not sure if this will help anyone else experiencing this issue.

[ghost]

@alicemao23 @adamjmcgrath That worked!

I first toggled our application to "Regular Web Application": None and that worked. I then toggled to "Regular Web Application": POST and Basic, neither of which worked. I then toggled it back to Single Page Application: None and it worked.

[adamjmcgrath]

Ah, thanks @alicemao23 @avala-HFI! I'm not sure why both your tenants were incorrectly configured even though they were showing the correct configuration Single Page Application: None.

I've just tested this myself by creating a new SPA Application in the dashboard and it seems to be working now, but I'll keep an eye out to see if anyone else runs into this and raise it internally.

Closing this issue, feel free to reopen if you run into this again

[pione30]

I was facing the same issue, now fixed with the workaround @alicemao23 provided. Thanks.

[abraidotti]

I have the same issue but @alicemao23's fix didn't work for me. Any updates on this?

[sloansparger]

I faced the same issue and @alicemao23's fix worked for me as well. 👍

[tarik350]

Hi @alicemao23 - let me know if you've had any luck fixing your issue.

Another thing to check would be that you have "Allowed Web Origins" set correctly in your dashboard.

And that your Auth0 Application in your dashboard is set to "Single Page Application"

Let me know if either of those suggestions helps

after trying lots of alternatives this one has worked for me. from application type drop down menu you have to select single page application and the problem you are facing will probably disppear