You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After updating to auth0-react v2, we noticed that our active users don't get logged out, after they are blocked in the Auth0 Dashboard / User Management and their current token expires.
V1 behavior: when their current token expired, blocked users were immediately logged out from the platform when trying to acquire a new token.
V2 behavior: blocked users can still interact with the app after their current token expired. getAccessTokenSilently() returns a 'user is blocked' error, the network log is filled with
We have been using a custom cache implementation, which seems to interfere with this behavior:
Using the sample application the following were validated using v2:
custom cache effects the logout logic, with the custom cache above, the user does not get logged out immediately after trying to call the external API
without the custom cache the user immediately gets logged out
in neither case do we see an error in the console
Using the sample application the following were validated after downgrading to v1:
regardless of using a custom cache or not, the blocked user immediately gets logged out after their token expires and they try to call the external api, and a 401 error is logged to the console:
Reproduction
On v2:
Step1: Run sample app with custom cache implementation
Step2: Block the current user in Auth0 Dashboard and wait for the token to expire
Step3: Try to fire the external API call and observe how you are not logged out immediately.
On v1 this logout happened automatically on the first interaction with the App (after the blocked user has expired), you can verify it by downgrading to v1 in the sample app and going through the above steps.
Additional context
We solved the issue for now by calling logout() manually after checking the error in the catch block of getAccessTokenSIlently(), if (error.message === 'user is blocked') logout() but this looks like a hack compared to the previous behavior.
auth0-react version
2.2.0
React version
17 (our app) & 18 (sample app)
Which browsers have you tested in?
Chrome
The text was updated successfully, but these errors were encountered:
Hey! So just to clarify, it definitely has to do with the custom cache implementation which, until we were on v1, worked fine. Now on v2 we need to manually logout the user when the token endpoint returns a "user is blocked" error.
You can still fix this behavior by setting useRefreshTokenFallback to true.
In v1, when using refresh tokens, the application would fall back to using iframes if a refresh token exchange failed. However, this approach has caused issues in environments that do not support iframes. To address this, we introduced the useRefreshTokensFallback option, allowing users to opt out of iframe fallback in case a refresh_grant fails.
In v2, we’ve changed the default value of useRefreshTokensFallback to false. This means that if useRefreshTokens is set to true and the refresh token exchange fails, the application will no longer fall back to using iframes by default.
If you prefer the original behavior, where the application falls back to iframes upon a refresh token exchange failure, you can explicitly set useRefreshTokensFallback to true.
Checklist
Description
After updating to auth0-react v2, we noticed that our active users don't get logged out, after they are blocked in the Auth0 Dashboard / User Management and their current token expires.
V1 behavior: when their current token expired, blocked users were immediately logged out from the platform when trying to acquire a new token.
V2 behavior: blocked users can still interact with the app after their current token expired. getAccessTokenSilently() returns a 'user is blocked' error, the network log is filled with
We have been using a custom cache implementation, which seems to interfere with this behavior:
Using the sample application the following were validated using v2:
Using the sample application the following were validated after downgrading to v1:
Reproduction
On v2:
Step1: Run sample app with custom cache implementation
Step2: Block the current user in Auth0 Dashboard and wait for the token to expire
Step3: Try to fire the external API call and observe how you are not logged out immediately.
On v1 this logout happened automatically on the first interaction with the App (after the blocked user has expired), you can verify it by downgrading to v1 in the sample app and going through the above steps.
Additional context
We solved the issue for now by calling logout() manually after checking the error in the catch block of getAccessTokenSIlently(),
if (error.message === 'user is blocked') logout()
but this looks like a hack compared to the previous behavior.auth0-react version
2.2.0
React version
17 (our app) & 18 (sample app)
Which browsers have you tested in?
Chrome
The text was updated successfully, but these errors were encountered: