Troubleshooting login and logout issues in Auth0 requires verifying the authentication flow, session establishment, and application configurations. Review the HTTP Archive (HAR) files, tenant logs, and application settings to identify and resolve the root cause of authentication failures.

• Auth0
• Troubleshooting
• Login
• Logout

How are login issues troubleshooted?

Isolate the cause of login failures by verifying the credential prompts, session establishment, logs, and token generation.

Is the user prompted for login credentials?

Verify if the user is prompted for credentials by performing the following checks:

• Check if the HAR file shows a call to the authorization server (/authorize endpoint).
  • NOTE: Remove or obfuscate all sensitive data, including confidential user information, Personally Identifiable Information (PII), and application information, before sharing a HAR file. Review the Related References section for more information on sanitizing HTTP traces.
• Verify that the connection is enabled for the application.
• Verify that the remote authorization service is available.
• Turn off customization if using the Auth0 Universal Login Page to determine if authentication works. Review the Universal Login Page customization code if the login works without customizations.

Is an error message shown after entering credentials?

Investigate errors that occur after entering credentials by performing these actions:

• Test the login through an alternative method to ensure the credentials are correct.
• Check if the password has expired.
• Check the browser developer tools or web inspector console for errors in the flow before returning to Auth0.
• Check the HAR file to determine if it shows a return to Auth0 (/login/callback endpoint). Verify that the identity provider has the correct callback URL for Auth0 if the return is missing.

Is a login session established for the user at the authorization server?

Verify if a login session is established at the authorization server by performing this test:

• Open a second tab in the same browser and navigate to the same URL.
• Verify if the browser prompts for login again. A session exists if no prompt appears.

Is a log entry created in the Auth0 Logs?

Check the Auth0 logs and user profiles by reviewing the following areas:

• Verify if a log entry exists in the Auth0 Logs. The authentication transaction failed to complete or return to Auth0 if no log entry exists.
• Check the response from the authorization server for error messages.
• Check the authorization server logs for errors.

Is an entry created in the Auth0 user’s screen with all the correct profile info?

Check that a correct entry was created in the Auth0 user’s screen by reviewing the following areas:

• Verify if an entry exists in the Auth0 user screen with all the correct profile information. If that is not the case, check the authorization server's response in the HAR file for missing profile information.
• Check the rules scripts for issues if using rules.
• Check the database action scripts for issues if using a custom database connection.
• Check the profile mapper script (profileMapper.js) for issues if using Lightweight Directory Access Protocol (LDAP).
• Check the social connection configurations to determine what profile information is requested.

Does the HAR file show a token or assertion returned to the application?

Verify if a token or assertion is returned to the application by performing these steps:

• Look in the HAR file for the call to the application callback URL to determine if a token or assertion was returned to the application.
• Find the ID Token (id_token) and check if it contains the information needed by the application.
• Decode the token or assertion to verify it contains the expected information. View JSON Web Tokens (JWTs) with JWT.io and Security Assertion Markup Language (SAML) assertions with SAMLTool.io.

How are Single Sign-On (SSO) failures investigated for already logged-in users who cannot access another application?

Investigate Single Sign-On (SSO) failures by checking the following configurations:

• Determine whether the user is attempting to log in to the second application from the same browser used for the initial login.
• Navigate to Tenant Settings > Advanced Settings and check the Log In Session Management settings. Determine if the second login attempt occurred within the timeout period.
• Check the value passed as the prompt parameter in the /authorize call.
• Verify that the connection used to log in to the first application is enabled for the second application.
• Verify that the second application received all the necessary user profile information.
• Use a browser-based flow if using a mobile device. See Best Practices.

How are application logs checked?

Check the application logs by verifying these details:

• Review the application logs for any errors.
• Verify that the application received all necessary information, such as groups or user profile attributes.

How are logout issues troubleshooted?

Troubleshoot logout issues by verifying the following configurations:

• Verify that the logout redirect URLs are in the allowlist. A redirect URL used in a logout call must be registered in either the tenant or application settings.
• Append the ?federated parameter to the logout call if federated logout is required.
• Ensure that the logout redirect URL is different from the login callback URL.
• Configure the logout redirect URL as an anonymous page (not protected by login) so that redirects to the logout redirect URL do not immediately trigger a login.

Related References

• Generate and Analyze HAR Files to Troubleshoot Auth0 Issues
• Sanitizing HTTP Traces
• How to Sanitize an HTTP Trace File Automatically
• How to Manually Redact Sensitive Information
• HAR File is Too Large to Upload to the Support Case