User is returned undefined and isAUthenticated with false when logging into the same browser with different users

[jsaulsberry-cvet]

Checklist

• The issue can be reproduced in the auth0-react sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

When switching between different auth0 users within the same browser, the user from useAuth0() will return undefined and the isAuthenticated will return false, even after the user has successfully authenticated with the loginWithRedirect function. This occurs when using the cacheLocation is set to memory

Reproduction

1. Setup an auth0 provider with cacheLocation='memory' useRefreshTokens={true} and useRefreshTokensFallback={true}
2. Use a chrome or microsoft edge browser and authenticate a user and switch between several auth0 accounts.
3. You should notice that after proceeding through the loginWithRedirect and being directed to the client application that intermittently, the user will still be undefined and the isAuthenticated will be false.

Additional context

No response

auth0-react version

2.2.0

React version

18.3.1

Which browsers have you tested in?

Chrome, Edge

[jsaulsberry-cvet]

We are noticing that this has a higher rate of occurrence when the browser blocks third party cookies

[nandan-bhat]

Hi @jsaulsberry-cvet

Can you confirm if this issue occurs only when switching between different users? Additionally, could you share how the onRedirectCallback is being handled in your application?

Just a quick note: if cacheLocation is set to memory, the user information will not persist after a page reload. However, I understand that your use case might differ in this scenario.

[reyemtm]

What also occurs is that getAccessTokenSilently will return a valid token (if the token is not expired), even after isAuthenticated returns false. But of course we can't simply call this every time isAuthenticated is false because that could end up in a loop if the token throws an error.

[cestorer]

Same issues