Description
Checklist
- The issue can be reproduced in the auth0-react sample app (or N/A).
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
Hello,
Background information
We have an SPA application that needs to use different pairs of audience & scope in different flows.
For that we made some logic that calculates the scope and audience values dependent on the path. After that we pass these values to Auth0Provider.
This is the example of the hook that returns audience and scope values. By default we pass MFA scope and audience, but on some flows we pass our Backend scopes and audience.
And how we use it in Auth0Provider.
This logic is written for our custom email verification flow. We have an Auth0 action that redirects user to '/email-verification' page in the SPA if email_verified is false for the user. It requires our backend's values for scope and audience as well as a bypass hint.
The issue
Short version:
After Auth0 truncates code, state parameters in the URL and returns user back to the email-verification page, the values in getTokenSilently function (from auth0-spa-js?) are not the same, that are passed to Auth0Provider
So when we attempt to call getAccessTokenSilently, Auth0 throws an error and makes redundant /authorize? request with current and previous scopes values combined.
Long version:
After debugging I tried to illustrate what values of scope and audience we receive on each step in our SPA's Auth0Provider, in auth0-react's Auth0Provider and in the function getTokenSilently.
Let me describe these steps in more details:
- User logs in to our SPA
- Our Auth0 action detects that user's email is not verified and redirects to /email-verification page.
- SPA's Auth0 Provider detects that
path === email-verificationand returns Backend values for scope and audience. /authorize?request is made with Backend scope and audience.- After successful silent authentication, User is redirected back to the main page
/profile?code=...&state-... - SPA's Auth0 Provider checks that
path !== email-verificationand returns default values for scope and audience, which are MFA. - Auth0 SDK removes
codeandstateparameters from URL and redirects user back to/email-verificationpage. - SPA's Auth0 Provider detects that
path === email-verificationand returns Backend values for scope and audience. - Auth0Provider in auth0-react library doesn't update new values of scopes and audience, which are Backend.
- Users clicks on a button to make a backend API call.
getAccessTokenSilentlyfunction is called to receive accessToken. At this point we expect to get the token for Backend scope and audience.- Inside
getTokenSIlentlyfunction values of scope and audience are MFA, they were not refreshed after steps 7 and 8. - Auth0 makes redundant
/authorizecall with the scope value of MFA and Backend combined and throws back an error 'External interaction required'.
I tried as well to pass authorizationParams inside getAccessTokenSilently function, but the result was the same.
If I refresh the page before calling for the access token, everything works as expected without errors.
Reproduction
I will try to create a repo where the issue can be reproduced, but it make require some time for me to set up as I'm not very familiar with Auth0 actions.
Also, Is there a more correct way to handle authorization with different audiences and scopes than what we do?
Thank you for your time!
Additional context
No response
auth0-react version
2.3.0
React version
18.2.0
Which browsers have you tested in?
Chrome