Description
Checklist
- The issue can be reproduced in the auth0-react sample app (or N/A).
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
After updating to auth0-react v2, we noticed that our active users don't get logged out, after they are blocked in the Auth0 Dashboard / User Management and their current token expires.
V1 behavior: when their current token expired, blocked users were immediately logged out from the platform when trying to acquire a new token.
V2 behavior: blocked users can still interact with the app after their current token expired. getAccessTokenSilently() returns a 'user is blocked' error, the network log is filled with
We have been using a custom cache implementation, which seems to interfere with this behavior:
import { set, get, del, keys } from "idb-keyval";
const cache = {
get: (key) => get(key).then((cacheable) => cacheable || null),
set: (key, cacheable) => set(key, cacheable),
remove: (key) => del(key),
allKeys: keys,
};
return cache;
};Using the sample application the following were validated using v2:
- custom cache effects the logout logic, with the custom cache above, the user does not get logged out immediately after trying to call the external API
- without the custom cache the user immediately gets logged out
- in neither case do we see an error in the console
Using the sample application the following were validated after downgrading to v1:
- regardless of using a custom cache or not, the blocked user immediately gets logged out after their token expires and they try to call the external api, and a 401 error is logged to the console:
Reproduction
On v2:
Step1: Run sample app with custom cache implementation
Step2: Block the current user in Auth0 Dashboard and wait for the token to expire
Step3: Try to fire the external API call and observe how you are not logged out immediately.
On v1 this logout happened automatically on the first interaction with the App (after the blocked user has expired), you can verify it by downgrading to v1 in the sample app and going through the above steps.
Additional context
We solved the issue for now by calling logout() manually after checking the error in the catch block of getAccessTokenSIlently(), if (error.message === 'user is blocked') logout() but this looks like a hack compared to the previous behavior.
auth0-react version
2.2.0
React version
17 (our app) & 18 (sample app)
Which browsers have you tested in?
Chrome