Authentication doesn't persist when page is reloaded

[masonoise]

I've been trying to get this to work, but the authentication isn't persisting. I saw the note on the example page about social login not persisting, but I'm testing with email/password. I've got a login page displaying the isAuthenticated/userinfo/etc, and when I login I can see the info for a second but then it directs to the user home page, isAuthenticated is false, and the userinfo is gone. If I go to login again, Auth0 also thinks I'm logged out. Any ideas what's causing this? Just to check I tried the Universal Login "New" setting but it didn't work any better. Thanks for any thoughts. I could post code here, but it's pretty much just copy-paste from your example!

[dopry]

It persists for me on https://darrelopry.com/svelte-auth0/ and https://darrelopry.com/svelte-oidc/. You'll need to provide a better example and directions to re-produce in order for me to help you. It sound like your auth0 is nor configured correctly. I'd recommend enable preserve log in your console and network screens to see if you can catch the error with the silentRenew. Please re-open if you have more details.

[Leftium]

Does "persist" mean the stores like isAuthenticated maintain their values on page refresh? (Browser F5 key)

Here is a loom where this is not happening on https://darrelopry.com/svelte-auth0/. Video starts right after logging in so user details are shown. Then I refreshed the page and all values reset. I enabled "preserve log": https://www.loom.com/share/0bc610c810e240e8964e34aa5bed0630

[Leftium]

I think the reason authentication doesn't persist is because the cacheLocation option of createAuth0Client() must be set to localstorage. The default is memory, which is wiped on page reloads:

https://github.com/dopry/svelte-auth0/blob/c556382ced36ec8a6c909a7af27c04ab03b01669/src/components/Auth0Context.svelte#L37

Reference: https://auth0.com/docs/libraries/auth0-single-page-app-sdk#change-storage-options

[dopry]

Yes, but silent renew should be working on page load. Session should still be alive on Auth0.

On Mon, Mar 22, 2021, 10:04 AM John-Kim Murphy @.***> wrote:

I think the reason authentication doesn't persist is because the cacheLocation option of createAuth0Client() must be set to localstorage. The default is memory, which is wiped on page reloads.

Relevant code: https://github.com/dopry/svelte-auth0/blob/c556382ced36ec8a6c909a7af27c04ab03b01669/src/components/Auth0Context.svelte#L37

Reference: https://auth0.com/docs/libraries/auth0-single-page-app-sdk#change-storage-options

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/dopry/svelte-auth0/issues/7#issuecomment-804087699, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC6UOCKAVQH6G7J2Q5NBD3TE5E5PANCNFSM4PS2GM5A .

[dopry]

@Leftium the silent auth will only work with User Pass logins on the free Auth0 account I am using for this demo. If you register a user locally it will work. This is a limit to auth0... but you are correct that switching to localStorage caching would save the round trip of silent auth on reload.

[dopry]

@Leftium can you trying refreshing with user pass and verify whether is it working for you or not? If it isn't I'll need to know your browser version and any cookie blocking privacy controls /extensions you're using. I opened #16 to address the issues with social login explicitly, as I'm pretty sure this is all related to the cookie issues mentioned there.

[Leftium]

I only tried with social login; it does indeed persist with email login. I didn't realize silentRenew could persist the authentication like that without local storage.

I investigated with my own Auth0 project and I was able to persist social logins without local storage as well by using my own Google/Facebook keys instead of Auth0's developer keys. I don't think I changed my project's code; just the social connection configurations at Auth0.com.

[dopry]

It's a cool feature, in theory it's more secure than storing an actual access token in local storage. You have a session cookie with the identity provider and as long as it's valid you can make call up to the IDp to verify and get a new token. Session can be separately ended by the IDp or the user, say you want to logout from all services using the google ui because you think you left your email logged in on a library computer or something like that... The session cookie can be invalidated... Real access credentials in this case are only stored in memory...

The one drawback I really see is the delay waiting on the multiple requests to get a token after reload. With the demo you see a flash of unauthenticated content. I'm fairly certain you can condition around that, but I haven't tried it yet.