Auth0 Duplicate Token

Hello I am working on using the Web3Auth single-factor-sdk alongside an Auth0 email passwordless, but find myself running into an issue. Previously, when using the modal sdk, I could just call “connect()” whenever React loses the session and web3auth would fetch some localStorage state and essentially reconnect itself. Now with the use of the single-factor-sdk I am getting a “Duplicate token found” error when attempting a similar flow. From looking at other posts, it seems that the modal sdk performs an auto revoke and that’s what’s needed but from what I understand about auth0 is that they don’t issue refresh tokens for simple email passwordless flows. (only for oauth).
The question in all of this is simply how I’d go about persisting a session (using the above mentioned setup) so that users don’t have to go through the entire login session every time React loses it because it seems that’s the only route forward…? Currently using jotai and works great for keeping session alive in best case scenarios, but the second there is a hard refresh or anything to break the lifecycle we are in a spot of being logged in, but disconnected from wallet and so that’s something we would love to fix and would appreciate any insight!

Hello @val,

I was wondering if you could share some insight on how you obtain the id_token from Auth0. Are you utilizing web3auth’s auth0 verifier?

If it’s not too much trouble, could you kindly provide the init and login code snippets, as well as the code you use to receive the id_token?

Thank you in advance.

Hi @shahbaz yea of course. We are instantiating an auth0 client and calling passwordlessStart() to start our flow, followed by a call to their authentication API to verify the OTP. This idToken is then passed into the web3auth single-factor-auth connect function. I believe the web3auth verifier is under the “custom” label and set up using the auth0 jwks route with appropriate iss and aud fields, as iirc that was the way recommended by a guide I followed.

We have a NextJS API route that calls https://${auth0IssuerUrl}/oauth/token with some params: body: JSON.stringify({ grant_type: "http://auth0.com/oauth/grant-type/passwordless/otp", client_id: {auth0 client id}, client_secret: {auth0 client secret}, username: {email}, otp: {OTP}, realm: "email", scope: "openid profile email", }),

This is the function that handles the above mentioned API call on the frontend.

async function handlePasswordlessVerify(
    verificationCode: string
  ): Promise<Auth0Response> {
    try {
      const response = await fetch("/api/auth", {
        method: "POST",
        headers: { "content-type": "application/json" },
        body: JSON.stringify({
          email,
          otp: verificationCode,
        }),
      });
      if (!response.ok) {
        throw new Error(response.statusText);
      }

      const { data } = await response.json();
      setIdToken(data.id_token);
      return data;
    } catch (e) {
      throw new Error("Error verifying otp");
    }
  }

Then take the idToken and pass into web3auth connect():

const provider = await web3AuthClient.connect({
        verifier,
        verifierId: email,
        idToken,
      });
      if (!provider) {
        throw new Error("Failed to connect to web3auth");
      }
      setWeb3AuthProvider(provider);
      const key: Maybe<string> = await web3AuthClient.provider?.request({
        method: "private_key",
      });

I don’t know if it’ll be any help but the web3auth verifier is named “auth0-jwt-email-w-slash” under testnet.
I hope I answered your question, but if not feel free to ask for more and I’ll gladly provide.

Thank you

Hey

For anyone with similar situation, realized that the latest version of single-factor-sdk has session management built in, but not quite in the docs yet(as far as I can tell): https://github.com/Web3Auth/single-factor-auth-web

Just needed to do some refactoring within our code to properly initialize cosmwasm clients on rehydration.

Thank you @shahbaz for your response and effort!

Hi @val,

Thank you for providing such detailed information. I was wondering if you could assist me by providing the following details:

  • Could you please share the name of the verifier and its network?
  • I would also like to know if the verifierId you are passing is an actual email like `abc@xyz.com or just the word “email”?
  • Lastly, could you provide me with a sample idToken?

Thank you!

We have not received any response from your end. Do reply if you need help.

You may join our upcoming community call - Web3Auth Community Call #4 · Zoom · Luma