Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatic logout when active user is blocked disappeared after update to v2 #814

Open
6 tasks done
pldvd opened this issue Nov 13, 2024 · 4 comments
Open
6 tasks done
Labels
bug Something isn't working

Comments

@pldvd
Copy link

pldvd commented Nov 13, 2024

Checklist

Description

After updating to auth0-react v2, we noticed that our active users don't get logged out, after they are blocked in the Auth0 Dashboard / User Management and their current token expires.

V1 behavior: when their current token expired, blocked users were immediately logged out from the platform when trying to acquire a new token.
V2 behavior: blocked users can still interact with the app after their current token expired. getAccessTokenSilently() returns a 'user is blocked' error, the network log is filled with

We have been using a custom cache implementation, which seems to interfere with this behavior:

  import { set, get, del, keys } from "idb-keyval";

  const cache = {
    get: (key) => get(key).then((cacheable) => cacheable || null),
    set: (key, cacheable) => set(key, cacheable),
    remove: (key) => del(key),
    allKeys: keys,
  };
  return cache;
};

Using the sample application the following were validated using v2:

  • custom cache effects the logout logic, with the custom cache above, the user does not get logged out immediately after trying to call the external API
  • without the custom cache the user immediately gets logged out
  • in neither case do we see an error in the console

Using the sample application the following were validated after downgrading to v1:

  • regardless of using a custom cache or not, the blocked user immediately gets logged out after their token expires and they try to call the external api, and a 401 error is logged to the console:
    Screenshot 2024-11-13 at 17 08 33

Reproduction

On v2:
Step1: Run sample app with custom cache implementation
Step2: Block the current user in Auth0 Dashboard and wait for the token to expire
Step3: Try to fire the external API call and observe how you are not logged out immediately.

On v1 this logout happened automatically on the first interaction with the App (after the blocked user has expired), you can verify it by downgrading to v1 in the sample app and going through the above steps.

Additional context

We solved the issue for now by calling logout() manually after checking the error in the catch block of getAccessTokenSIlently(), if (error.message === 'user is blocked') logout() but this looks like a hack compared to the previous behavior.

auth0-react version

2.2.0

React version

17 (our app) & 18 (sample app)

Which browsers have you tested in?

Chrome

@pldvd pldvd added the bug Something isn't working label Nov 13, 2024
@pldvd
Copy link
Author

pldvd commented Nov 14, 2024

Hey! So just to clarify, it definitely has to do with the custom cache implementation which, until we were on v1, worked fine. Now on v2 we need to manually logout the user when the token endpoint returns a "user is blocked" error.

@nandan-bhat
Copy link
Contributor

Hello @pldvd ,

You can still fix this behavior by setting useRefreshTokenFallback to true.

In v1, when using refresh tokens, the application would fall back to using iframes if a refresh token exchange failed. However, this approach has caused issues in environments that do not support iframes. To address this, we introduced the useRefreshTokensFallback option, allowing users to opt out of iframe fallback in case a refresh_grant fails.

In v2, we’ve changed the default value of useRefreshTokensFallback to false. This means that if useRefreshTokens is set to true and the refresh token exchange fails, the application will no longer fall back to using iframes by default.

If you prefer the original behavior, where the application falls back to iframes upon a refresh token exchange failure, you can explicitly set useRefreshTokensFallback to true.

Migration Guide: https://github.com/auth0/auth0-react/blob/main/MIGRATION_GUIDE.md#no-more-iframe-fallback-by-default-when-using-refresh-tokens
SDK API Reference: https://auth0.github.io/auth0-react/interfaces/Auth0ProviderOptions.html#useRefreshTokensFallback

@pldvd
Copy link
Author

pldvd commented Jan 23, 2025

Hey @nandan-bhat! Thank you for taking the time to reply. It has been a while but I am back at this issue and I want to clarify two things:

  • our project uses refresh tokens so useRefreshTokens: true with refresh token rotation and we are also falling back to the original behavior of an iframe calling /authorize for new authorization code so useRefreshTokensFallback: true as well.
  • however: upon receiving a 403 from the token endpoint, the /authorize call is not made which is expected as according to the source code in auth0-spa-js, iframe fallback is only used in a handful of cases (blocked user not being one)

@pldvd
Copy link
Author

pldvd commented Jan 24, 2025

any other takes on this, please let me know...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants