fix(account): silent re-auth on user info error instead of forcing login

[taka-guevara]

Summary

Fixes #8657.

When two users share a browser and switch accounts through an external Logto-backed app, the Account Center forces the second user through a login screen even though their OIDC session is already valid.

User-switch scenario. User A signs in via an external app that uses Logto as its IdP and visits the Account Center, which writes A's tokens to localStorage on the Logto origin. A signs out (end_session), destroying A's OIDC session and revoking A's session-bound refresh token — but A's localStorage entries remain on the browser. User B signs in via the same external app on the same browser, which creates a fresh OIDC session for B. When B follows a link to the Account Center, the SDK reads A's stale tokens, hits /api/my-account, gets 401, and the refresh attempt fails too (A's refresh token was revoked with A's session). userInfoError fires, and today's code redirects with prompt=login — even though B has a valid OIDC session cookie on the Logto origin.

Note: this is not about ordinary access-token expiry. With alwaysIssueRefreshToken: true + includeReservedScopes: false, the SDK gets a session-bound refresh token and handles plain expiry transparently. The visible login screen specifically happens when the refresh token itself is invalid — most commonly the user-switch scenario above.

This PR distinguishes "OIDC session still valid, local token state stale" from "OIDC session gone" by delegating the decision to the authorization server: first try prompt=none, and only fall back to prompt=login when the provider answers error=login_required.

Implementation

@logto/react's signIn() performs a browser redirect (window.location.assign to /oidc/auth), so a naïve try { await signIn({ prompt: Prompt.None }) } catch { signIn({ prompt: Prompt.Login }) } does not work — the page navigates away before the Promise settles. The OIDC error response (login_required) is only observable as a URL query parameter on the next page load.

The fix is a two-phase flow in App.tsx:

1. Phase 1 — on userInfoError (while authenticated), redirect with prompt=none so the OIDC provider attempts silent re-authentication via the session cookie.
2. Phase 2 — on the next page load, detect error=login_required in the URL parameters and fall back to signIn({ prompt: Prompt.Login }).

Callback.tsx's clearAllTokens() + clearVerificationRecord() still run on the silent-success branch (the callback delivers a fresh code for the actually-authenticated user), so the stale-state cleanup invariant from #8313 / #8554 / #8590 is preserved.

Behavior on the target scenarios

Situation	Before	After
User switch on same browser, B has valid OIDC session	Login screen for B	Silent re-auth as B, A's stale tokens cleared
True logout (no valid OIDC session)	Login screen	Login screen (via login_required fallback)
Account Center disabled (accountCenterSettings.enabled === false)	No redirect (#8637)	No redirect (gate preserved)

Testing

• Reproduced the user-switch scenario locally against svhd/logto:latest: with the fix, User B is silently re-authenticated and lands on the Account Center without a login screen; A's localStorage is cleared by the callback.
• True-logout case: prompt=none returns error=login_required; the fallback path renders the sign-in screen as before.
• Unit tests cover the two-phase flow in App.test.tsx (userInfoError while authenticated → Prompt.None; error=login_required → Prompt.Login fallback; accountCenterSettings.enabled === false regression for both branches; regular unauthenticated sign-in still fires; auth callback in flight skips the redirects) and Callback.test.tsx (mount-time clearAllTokens() + clearVerificationRecord() invariant; error UI on callback failure).

Checklist

• .changeset
• unit tests
• integration tests
• necessary TSDoc comments

[Copilot]

Pull request overview

This PR updates Account Center’s re-authentication behavior when /api/my-account fails: it now attempts a silent OIDC re-auth (prompt=none) first, and only forces an interactive login (prompt=login) if the authorization server returns error=login_required. This better distinguishes “stale local tokens” from “no valid server-side OIDC session,” addressing issue #8657 while keeping the stale-state cleanup flow intact.

Changes:

• Add a two-phase re-auth flow in App.tsx: try silent auth on userInfoError, then fall back to explicit login when error=login_required is observed on the next load.
• Add a changeset documenting the behavioral change for @logto/account.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
packages/account/src/App.tsx	Switch userInfoError handling to attempt Prompt.None first, with a login_required URL-detected fallback to Prompt.Login.
.changeset/silent-account-reauth.md	Patch changeset describing silent re-auth + fallback behavior and rationale.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

COMPARE TO master

Total Size Diff ⚠️ 📈 +12.03 KB

Diff by File

Name	Diff
.changeset/silent-account-reauth.md	📈 +591 Bytes
packages/account/jest.config.ts	📈 +49 Bytes
packages/account/package.json	📈 +89 Bytes
packages/account/src/App.test.tsx	📈 +5.27 KB
packages/account/src/App.tsx	📈 +1.08 KB
packages/account/src/Callback.test.tsx	📈 +1.42 KB
packages/account/src/jest.setup.ts	📈 +1.02 KB
packages/account/src/use-auth-redirect.ts	📈 +3.86 KB
pnpm-lock.yaml	📈 +849 Bytes

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[wangsijie]

Thanks for the detailed follow-up and the implementation. I think the direction makes sense for the clarified user-switch scenario: Account Center may have stale tokens for User A while the browser already has a valid OIDC session for User B, and trying prompt=none first lets the authorization server silently recover before falling back to prompt=login.

Could you update the PR / issue wording to focus on that scenario rather than ordinary access-token expiry? With alwaysIssueRefreshToken: true and includeReservedScopes: false, the normal expired access-token path should be handled by the SDK refresh flow, so the current wording and behavior matrix may overstate the scope.

It would also be great to add test coverage for the new two-step flow, especially:

• userInfoError while authenticated triggers Prompt.None;
• /account?error=login_required falls back to Prompt.Login;
• the successful silent callback path still clears stale tokens / verification state.

If adding those tests is inconvenient in this PR, I can also take care of the test coverage separately.

[taka-guevara]

Thanks for the review! I'll update both the PR and the issue wording, and add the tests as well.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

[wangsijie]

Overall LGTM, please take a look at Copilot's comments

[gao-sun]

lgtm on changeset

[wangsijie]

@copilot review

[taka-guevara]

Thanks!