DEV Community

Klee Thomas
Klee Thomas

Posted on • Originally published at blog.kleeut.com

Solving consent_required Auth0 SPA SDK

I've been playing with the Auth0 SPA SDK https://auth0.com/docs/libraries/auth0-spa-js

What's wrong

I keep running into an issue where I an error is thrown with code consent_required when trying to initialise the Auth0 client by calling createAuth0Client that is brought in from the library import createAuth0Client from "@auth0/auth0-spa-js".

Why's it's going wrong

Reading into it this is because the createAuth0Client function is calling getTokenSilently as part of the creation. This call fails when a user has a current session but the parameters of the authentication have changed to require the user accepts some updated conditions.

Examples of where this is going to happen are adding or modifying the useRefreshTokens, scope, or audience properties passed to createAuth0Client.

Note: This will only happen the first time that these permissions are introduced for a user. If the logged in user has previously accepted these the prompt will not be required and the client will be created successfully.

How to fix it

The short answer is you need to log the user out so that they can accept the updated conditions you've required. There are two options for how to do this.

If, like me, you're still in the process of experimenting and testing on your local machine. Make sure you've logged your test user out before making changes to the parameters passed to createAuth0Client. Possibly undoing the changes, logging the user out, and then making the changes.

Asking your users to log out so that you can deploy an update isn't going to scale. If you have an application in production or if you've got users on other machines then you'll need a more programatic solution.

In this case you can use the Auth0Client class constructor that can be brought in from the same @auth0/auth0-spa-js package to create the auth0 client. Fortunately it takes the same options as createAuth0Client so it's an easy switch out. Using this to create an instance of Auth0Client you can then programmatically log users out, when they log in again they'll see the prompt and be able to log in and continue using your app.

Top comments (0)