User is not authenticated on page refresh.

[a-c-sreedhar-reddy]

Description

User logs in with loginWithRedirect function. But on refreshing the page useAuth0 returns isAuthenticated as false.
But on calling longinWithRedirect user gets authenticated without any credentials.

Reproduction

I am using google oauth.

Environment

• **Version of this library used:**1.0.0
• Browser: Brave

[adamjmcgrath]

Hi @a-c-sreedhar-reddy

It sounds like you're using the developer keys to test logging in with social identity providers. These developer keys have some limitations - in your case they prevent silent auth from working, which is why your login is not persisted between page refreshes.

If you change the keys of your Google social connection in the Auth0 dashboard, this should resolve the issue https://manage.auth0.com/#/connections/social

More info here: https://auth0.com/docs/connections/social/devkeys

Closing for now, feel free to reopen if you have any other questions

[a-c-sreedhar-reddy]

Hi @adamjmcgrath. I have added the google keys. Even then on page refresh isAuthenticated is false.

I have added the fetch requests below.

This one gets called when I refresh.

fetch("https://mydomain.us.auth0.com/authorize?client_id=**clientid**&redirect_uri=http%3A%2F%2Flocalhost%3A3000&scope=openid%20profile%20email%20offline_access&response_type=code&response_mode=web_message&state=UmxzMXRoZ0w4LnhBSDBaa0ExRDhrbU8tckNHfkRySW9wQ3RaSFpmdGZWaQ%3D%3D&nonce=T2UwLUFkWmc2Sy5kMGg3Wl9uWVA1cDMzfkUyLlE4VUprSEl4M005bWJPTw%3D%3D&code_challenge=gBfcHonM-5E2rhD6Q79zvvpgqWGczhrOFUVOvtmceHo&code_challenge_method=S256&prompt=none&auth0Client=**auth0Client**", {
  "headers": {
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
    "sec-fetch-dest": "iframe",
    "sec-fetch-mode": "navigate",
    "sec-fetch-site": "cross-site",
    "upgrade-insecure-requests": "1"
  },
  "referrer": "https://mydomain.us.auth0.com/",
  "referrerPolicy": "no-referrer-when-downgrade",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "omit"
});

This one gets called when loginWithRedirect is called.

fetch("https://mydomain.us.auth0.com/authorize?client_id=**clientid**&redirect_uri=http%3A%2F%2Flocalhost%3A3000&scope=openid%20profile%20email%20offline_access&response_type=code&response_mode=query&state=aDh6cnNtWkFtVEpyZTBjR04zYV9NNTF1QzJJWjlCRXVSQ1JuZHZuNXUwNg%3D%3D&nonce=bTliSG5RUmdURE5GYm5QdnFGUHZacUpHdGpRQjFzN1lvQVV2Y3MySDVYYw%3D%3D&code_challenge=f9-iNbG8u0HCNlXfghT4UlbkPRZNVd7rdaiBOpKu3DM&code_challenge_method=S256&auth0Client=**auth0Client**", {
  "headers": {
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
    "sec-fetch-dest": "document",
    "sec-fetch-mode": "navigate",
    "sec-fetch-site": "cross-site",
    "sec-fetch-user": "?1",
    "upgrade-insecure-requests": "1"
  },
  "referrerPolicy": "no-referrer-when-downgrade",
  "body": null,
  "method": "GET",
  "mode": "cors",
  "credentials": "include"

[adamjmcgrath]

Hi @a-c-sreedhar-reddy - can you let me know which browser are you using?

[a-c-sreedhar-reddy]

Hi @adamjmcgrath I am using Brave browser. I am sorry for not mentioning it in the issue.

[a-c-sreedhar-reddy]

Hey @adamjmcgrath. Just now checked in chrome. In chrome it is working fine.

[adamjmcgrath]

Hey @a-c-sreedhar-reddy - you're running into the Intelligent Tracking Prevention (ITP) browser restrictions of Safari and Brave (and soon Chrome)

Your 2 options are to either use Rotating Refresh Tokens (see https://auth0.com/docs/libraries/auth0-spa-js#use-rotating-refresh-tokens) or a Custom Domain (See https://auth0.com/docs/custom-domains)

Closing for now, feel free to reopen if you have any more questions

[johnjacobkenny]

I am having the same issue. I tried #49 (comment) but no success. I also tried enabling Rotating Refresh Tokens as mentioned in a previous comment, but still no avail.

I have documented my issue here before I came across this issue.

[johnjacobkenny]

Hi @a-c-sreedhar-reddy

It sounds like you're using the developer keys to test logging in with social identity providers. These developer keys have some limitations - in your case they prevent silent auth from working, which is why your login is not persisted between page refreshes.

If you change the keys of your Google social connection in the Auth0 dashboard, this should resolve the issue https://manage.auth0.com/#/connections/social

More info here: https://auth0.com/docs/connections/social/devkeys

Closing for now, feel free to reopen if you have any other questions

If this is an expected behavior, then I suppose my auth is "working as expected". However, I'm still getting this error for Samesite cookies. That's what made me look deeper into this issue.