The getAccessTokenSilently response returns access_token populated with organization data after page refresh
enshtein06 opened this issue · 3 comments
Checklist
- The issue can be reproduced in the auth0-react sample app (or N/A).
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- #558
Description
Hi!
The getAccessTokenSilently response contains the organization claims even if the organization field is null or undefined.
The organization claim isn't there when we log in and call the getAccessTokenSilently function. Then if we call the getAccessTokenSilently function with the organization provided, the access_token will contain the organization's claims. But if we refresh the page and getAccessTokenSilently executes again with the ignoreCache flag equal to true and the organization field equal to null or undefined, the access_token still contains the organization claim.
Reproduction
- Login and call the
getAccessTokenSilentlyfunction with non specified organization. - Decode the token. The token won't have the organization's data.
- Call the
getAccessTokenSilentlyfunction with a specified organization. - Decode the token. The token will have the organization's data.
- Refresh the page with a call of the
getAccessTokenSilentlyfunction with non specified organization. - Decode the token.
- The
access_tokenwill still contain the organization's data. (theignoreCacheflag is enabled)
Additional context
No response
auth0-react version
^1.9.0
React version
^17.0.0
Which browsers have you tested in?
Chrome
Hi @enshtein06 - thanks for raising this
This is by design:
- If an org_id claim is returned in the ID token, the SDK stores it in a new cookie to act as a "hint" for silent authentication
- When doing getTokenSilently with iframe + prompt=none, if the hint cookie is available and no value for organization was given in the options, the value from the cookie is read and sent to the authorization request
We did this because, if a user logs in with an organization with loginWithRedirect, they would then expect subsequent silent logins to honour the same organization.
If you want to login to an organization, then on the same client, login with no organization you'll need to clear the organization hint cookie. You can do this by doing a local logout or deleting the cookie manually - eg:
await getAccessTokenSilently({ cacheMode: 'off' }) // get AT with no org_id
await getAccessTokenSilently({ cacheMode: 'off', authorizationParams: { organization: 'org_123' } }) // get AT with org_id
await getAccessTokenSilently({ cacheMode: 'off' }) // get AT with org_id
// ☝️ you don't want this, so...
await logout({ openUrl: false }) // clear local state
await getAccessTokenSilently({ cacheMode: 'off' }) // get AT with no org_id@adamjmcgrath, it worked for me. Thank you!
Just a small correction, since the used auth0-react version here, is ^1.9.0, the solution to get a token with no organization should be:
await logout({ localOnly: true }) // clear local state
await getAccessTokenSilently({ cacheMode: 'off' }) // get AT with no org_id
Because openUrl isn't a part of the logout options, TS might complain about this.
We can close it now.
Thanks @enshtein06 👍