Open AlbericTrancart opened 4 years ago
@AlbericTrancart Have you been able to reproduce this issue directly, or are you only seeing the error in the logs? Can you see the difference in time between the authn call and the token call? Is the error happening in a token call immediately after authn? There is token renew logic which will eventually fail when the session has expired. These types of errors are expected, but they don't occur in the login flow, they happen in the background on a timer.
I wasn't able to reproduce it directly but some of our users can reproduce it in a deterministic way (always fails on their setup). Using a more recent browser always work for them. We will start asking them their specific build of IE 11 from now on to see if it's a specific IE 11 version.
In the logs, the calls happen in quick succession (~20-50ms...) so it shouldn't be the token expiring.
Another potential issue is if their machines are notably off in time - the token won't expire in ~20-50ms, but if their local machine thinks the time is one time and the server thinks the time is tens of minutes or hours different, that could be an issue.
We already had an issue with users having their time off but in this case we had an error "the JWT token was issued in the future". Are there any possible conditions when this error is not triggered but the token is still "expired"?
@AlbericTrancart - Absent a reproduction we're guessing much like you are, but here are the guesses we have:
the 403 means that you never get a valid token, so it's not an issue of token expiration. It is possible the attempt to get the token is failing because the ephemeral PKCE values used to redeem the token are being replaced before the token exchange is complete. We have some tickets to make sure that doesn't happen, but if you are using PKCE currently you could try switching to implicit flow to avoid the issue while those PKCE issues are resolved. Unfortunately, auth-js 3.1.2 should have fixed these issues, so we haven't confirmed a problem.
This issue can occur when you have multiple tabs connecting at the same time, such reopening a browser that invokes the js on all those tabs at once. If you can get information about which browsers and builds these happen in, that could help.
Sorry we don't have more suggestions absent a repro case. You may be able to reach out to our support team and see if they can provide more detailed information from the logs - they can be reacted at developers@okta.com
Hello!
Since our release last week some of our users (~2%) are experiencing failed logins.
When we look at our logs, we link those errors to one main scenario:
POST /api/v1/authn
call is made, response code is 200POST /oauth2/default/v1/token
call is made, response code is 403AuthApiError
with an empty message and errorSummary. Link to relevant code in the libHere is our implementation in JS with @okta/okta-auth-js:
We are using the latest version of okta-auth-js:
How to reproduce
All users having the issue are on IE 11. However, we have ten times this number using our app with IE 11 without this issue.
As we don't have access to our final users, we can't have more precise reproduction steps than what we have in the logs.