search

okta / okta-auth-js

The official js wrapper around Okta's auth API
Other
453 stars 265 forks source link

Okta 403 error in OAuth flow results in failed login #424

Open AlbericTrancart opened 4 years ago

AlbericTrancart commented 4 years ago

Hello!

Since our release last week some of our users (~2%) are experiencing failed logins.

When we look at our logs, we link those errors to one main scenario:

Here is our implementation in JS with @okta/okta-auth-js:

try {
    const transaction: LoginTransaction = await authClient.signIn({ username: email, password, });

    if (!(transaction && transaction.status === 'SUCCESS')) {
        throw new Error(`Unknown login transaction status: ${transaction?.status}`); 
    }

    const response: OktaTokenResponse = await authClient.token.getWithoutPrompt({
        sessionToken: transaction.sessionToken, 
        responseType: ['token', 'openid'], 
        scopes: ['openid', 'profile', 'email', 'phone'], 
    }); 

    // set token in token manager...
} catch (error) { 
    // login failed code... 
}

We are using the latest version of okta-auth-js:

yarn why @okta/okta-auth-js
yarn why v1.19.1
[1/4] Why do we have the module "@okta/okta-auth-js"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@okta/okta-auth-js@3.1.4" 
info Has been hoisted to "@okta/okta-auth-js" 
info This module exists because it's specified in "dependencies". 
info Disk size without dependencies: "908KB" 
info Disk size with unique dependencies: "1.43MB" 
info Disk size with transitive dependencies: "6.55MB" 
info Number of shared dependencies: 8 Done in 1.04s.

How to reproduce

All users having the issue are on IE 11. However, we have ten times this number using our app with IE 11 without this issue.

As we don't have access to our final users, we can't have more precise reproduction steps than what we have in the logs.

aarongranick-okta commented 4 years ago

@AlbericTrancart Have you been able to reproduce this issue directly, or are you only seeing the error in the logs? Can you see the difference in time between the authn call and the token call? Is the error happening in a token call immediately after authn? There is token renew logic which will eventually fail when the session has expired. These types of errors are expected, but they don't occur in the login flow, they happen in the background on a timer.

AlbericTrancart commented 4 years ago

I wasn't able to reproduce it directly but some of our users can reproduce it in a deterministic way (always fails on their setup). Using a more recent browser always work for them. We will start asking them their specific build of IE 11 from now on to see if it's a specific IE 11 version.

In the logs, the calls happen in quick succession (~20-50ms...) so it shouldn't be the token expiring.

swiftone commented 4 years ago

Another potential issue is if their machines are notably off in time - the token won't expire in ~20-50ms, but if their local machine thinks the time is one time and the server thinks the time is tens of minutes or hours different, that could be an issue.

AlbericTrancart commented 4 years ago

We already had an issue with users having their time off but in this case we had an error "the JWT token was issued in the future". Are there any possible conditions when this error is not triggered but the token is still "expired"?

swiftone commented 4 years ago

@AlbericTrancart - Absent a reproduction we're guessing much like you are, but here are the guesses we have:

Sorry we don't have more suggestions absent a repro case. You may be able to reach out to our support team and see if they can provide more detailed information from the logs - they can be reacted at developers@okta.com