Note: auth0-react uses Auth0 SPA JS behind the scenes, so be sure to check their FAQs too.
- User is not logged in after page refresh
- User is not logged in after successful sign in with redirect
There are usually 2 reasons for this:
1. The user logged in with a Social Provider (like Google) and you are using the Auth0 Developer Keys
If you are using the Classic Universal Login experience, Silent Authentication won't work on the /authorize endpoint. This library uses Silent Authentication internally to check if a user is already signed in after page refresh, so that won't work either. You should either change to the New Universal Login experience or add your own keys to that particular social connection.
2. You are using a browser like Safari or Brave that has Intelligent Tracking Prevention turned on by default
In this case Silent Authentication will not work because it relies on a hidden iframe being logged in to a different domain (usually auth0.com) and browsers with ITP do not allow third-party (eg iframed) cookies. There are 2 workarounds for this using Rotating Refresh Tokens or Custom Domains
If after successfully logging in, your user returns to your SPA and is still not authenticated, do not refresh the page - go to the Network tab on Chrome and confirm that the POST to oauth/token resulted in an error 401 Unauthorized. If this is the case, your tenant is most likely misconfigured. Go to your Application Properties in your application's settings in the Auth0 Dashboard and make sure that Application Type is set to Single Page Application and Token Endpoint Authentication Method is set to None (Note: there is a known issue with the Auth0 "Default App", if you are unable to set Token Endpoint Authentication Method to None, create a new Application of type Single Page Application or see the advice in issues/93)