Solving consent_required Auth0 SPA SDK

I've been playing with the Auth0 SPA SDK https://auth0.com/docs/libraries/auth0-spa-js

# What's wrong
I keep running into an issue where I an error is thrown with code `consent_required` when trying to initialise the Auth0 client by calling `createAuth0Client` that is brought in from the library `import createAuth0Client from "@auth0/auth0-spa-js"`. 

# Why's it's going wrong
Reading into it this is because the `createAuth0Client` function is calling `getTokenSilently` as part of the creation. This call fails when a user has a current session but the parameters of the authenticaion have changed to require the user accepts some updated conditions.  

Examples of where this is going to happen are adding or modifying the `useRefreshTokens`, `scope`, or `audience` properties passed to `createAuth0Client`.  

Note: This will only happen the first time that these permissions are introduced for a user. If the logged in user has previously accepted these the prompt will not be required and the client will be created successfully. 

# How to fix it
The short answer is you need to log the user out so that they can accept the updated conditions you've required. There are two options for how to do this. 

If, like me, you're still in the process of experimenting and testing on your local machine. Make sure you've logged your test user out before making changes to the parameters passed to `createAuth0Client`. Possibly undoing the changes, logging the user out, and then making the changes. 

Asking your users to log out so that you can deploy an update isn't going to scale. If you have an application in production or if you've got users on other machines then you'll need a more programatic solution. 

In this case you can use the `Auth0Client` class constructor that can be brought in from the same `@auth0/auth0-spa-js` package to create the auth0 client. Fortunately it takes the same options as `createAuth0Client` so it's an easy switch out. Using this to create an instance of `Auth0Client` you can then programmatically log users out, when they log in again they'll see the prompt and be able to log in and continue using your app. 

Comments

Popular posts from this blog

Solving `Empty reply from server` in DotNet Core

Building a verify JWT function in TypeScript

Can't resolve DNS Aws