Forced to log in after refresh when using organizations

[benedict-jackson]

I'm not entirely sure if this is a bug with this library specifically or more generally with the current implementation of organizations on auth0, but when trying out my react app with organizations enabled I'm forced to re-login every time I refresh.

If the orgId is passed along as part of loginWithRedirect I just have to click the login button and seems it can reuse my auth0 session to log me in immediately, but if the org name prompt is enabled they need to type in their org name, then username and password again, which is a usability nightmare.

I'd expect that the session would remember what org I initially logged in as and be able to carry on as usual. In this state I can't migrate to using organisations, even though I'd love to use some of the other features like custom login screens etc.

Edit: Looks like this is an issue in auth0-spa-js, and is currently being looked at, hopefully this can be updated as soon as the fix is released in that library.

auth0/auth0-spa-js#788

[adamjmcgrath]

@benedict-jackson

Edit: Looks like this is an issue in auth0-spa-js, and is currently being looked at, hopefully this can be updated as soon as the fix is released in that library.

Correct, we'll pick up this change when it's release to SPA JS

[jketcham]

I see that auth0/auth0-spa-js#788 [SDK 2692] was merged and released in version v1.18.0 of auth0-spa-js, and then auth0-react was updated to v1.8.0 to include that update.

Unfortunately, I'm still experiencing this issue on the latest version (v1.8.0) when I have an organization set (given to the Auth0Provider). I'm able to login fine, but when I reload the page I'm logged out. I'm running this locally on localhost in Chrome 93.0.4577.82.

Is there something else needed to resolve this? Any tips?

[adamjmcgrath]

Hi @jketcham - can you confirm you're not running into any of the issues described here https://github.com/auth0/auth0-spa-js/blob/master/FAQ.md#why-is-the-user-logged-out-when-they-refresh-the-page-in-their-spa

Also, can you confirm if the request to /authorize (in your Network pane when you reload the page) contains the expected org_id parameter?

[jketcham]

Hey thanks for the help @adamjmcgrath. I looked at the suggestion in the link you shared and I can confirm:

• I'm not using a browser that blocks third-party cookies (I'm using chrome, not in incognito mode)
• I'm using the new login experience
• My application has the host I'm using set in the "Allowed Web Origins" field (http://localhost:9000)

I am logging in with a social connection (google), but I've provided my own client id and secret (not Auth0's developer keys).

I do see the request to /authorize(which returns 200) includes an organization query parameter with the correct value I supplied, but it's not named org_id. Not sure if that could be an issue.

And just for reference, I've followed the React Quickstart guide here to setup my app: https://auth0.com/docs/quickstart/spa/react

[adamjmcgrath]

Thanks for sharing that @stevejarvis - I'm not sure what the issue could be I'm afraid.

Could you create a minimal example that demonstrates the issue, and also include your domain, client id and org id?

[jketcham]

@adamjmcgrath I'll work on putting an example together 👍

[jketcham]

@adamjmcgrath I went ahead and forked the auth0-react-samples repo and created a branch that reproduces the issue I'm experiencing here: https://github.com/jketcham/auth0-react-samples/tree/jack/organization-reload-issue

I updated the @auth0/auth0-react dependency to 1.8.0 and updated the config to handle passing the organization id to the Auth0Provider. I verified the org id is being passed to the authorize request, and I am able to login no problem, but when I reload the page all the auth0 related cookies get cleared and I'm logged out. And again all the same conditions I reported before (using chrome, new login experience, etc). I also tried using a username/password db connection instead of the google social login and same result.

The auth_config I'm defining is:

{
  "domain": "dev-x59xd8k5.us.auth0.com",
  "clientId": "HP78pRZjg1ZIhpH6sze5Tv38sDiXBNNV",
  "organization": "org_CwkwSUtNU66h4KbT"
}

Let me know what else if you need anything else to help track this down, I appreciate your help!

[felizj17]

Hey I was running into this problem without the org set, have you checked where the token is being stored
i had to add cacheLocation="localstorage"in my auth0Provider because my token was stored in sessionstorage. so it looked like this

	        domain="d****************m" 
		clientId="B1********************6" 
		redirectUri="http://localhost:9000/incidents"  
		useRefreshTokens={true} 
		cacheLocation="localstorage" 

[jketcham]

@felizj17 thanks for your tip, explicitly setting the cacheLocation to localstorage in my Auth0Provider did stop the log out on refresh problem from occurring 👍

I do wonder if that should be necessary though? The default cacheLocation value is memory, and the Auth0 docs mention that it's preferable to not use local storage because of potential security vulnerabilities.

But then I also see in their docs that the "the in-memory method for browser storage does not provide persistence across page refreshes and browser tabs". Could this just be the issue maybe? Any thoughts @adamjmcgrath?

[felizj17]

Hey I haven't had a chance to test this out but it seems that there was some discussion on this here
https://community.auth0.com/t/persisting-login-between-refreshes/22675

[adamjmcgrath]

@jketcham - thanks for sharing that repo, I'll take a look at debugging it today

[adamjmcgrath]

Hi @jketcham - I've tried out your example app on my SPA app with organizations enabled and I can't seem to reproduce your issue. When I refresh the page, getTokenSilently is able to log me in with the web_message response_mode

Couple of things to check:

1. When I refresh the page, the adam-spa-test.us.auth0.com/authorize?organization=... request to my tenant get's loaded in an iframe, and I can see that the request get's the auth0 session cookie from adam-spa-test.us.auth0.com and succeeds with a status code of 200

2. If I inspect the source of the adam-spa-test.us.auth0.com/authorize?organization=... I see some JavaScript that sends the web message back to my app, prepopulated with the code and state variables.

<!DOCTYPE html><html><head><title>Authorization Response</title></head><body><script type = "text/javascript">(function(window, document) {
    var targetOrigin = "http://localhost:3000";
    var webMessageRequest = {};
    var authorizationResponse = {
        type: "authorization_response",
        response: {
            "code": "Onn... redacted ...3Ra",
            "state": "cnBBMzRYM1dxRF9jNktJTG51YU5iMS42MUZfRkNMR3djbFU4NFpWa2xDVw=="
        }
    };

[frederikprijck]

Closing this due to no activity. Feel free to reply and we can reopen if needed.