App infinitely redirects after login on single environment

Hey sorry to hear that you are seeing this. Are you using React correct?

Yep

Thanks and you only have one app setup in this same environment?

no, we have 2 environments, with 2 apps in each.
Only 1 app in the production env has suddenly broken

Ah sorry, that's wrong. we have 4 envs, with 2 apps in each

each env has a front end app and an M2M app

from what I can see the front end app in production is infinite redirecting

I haven't checked backend logs yet

Thanks for the details let me get the team to look into this quickly.

are you able to provide a link to your public authentication? or screenshots of what the errors are showing in the browser console?

There's no errors in the browser console that I can see, it's just instantly redirecting. Strangely enough though it only seems to be happening to some users. I just signed up with a new user and it didn't happen, which makes it looks like it might be related to business logic, It's just a bit odd given it came out of nowhere

But just wanted to check to see if anything had changed at this stage, if not we'll take a look on our side

Thanks for the detail are you still able to share what the URL is?

Of course!
https://portal.cocredit.com.au/

Ok, i've spent some time digging into it and it's starting to look like a potential issue on your side, more than happy to be proven wrong.

oauth2/token is called successfully

I'm stepping through the script, idToken is null somehow?

but it's there in data

I don't know why this is happening to some users and not others though

Why would IidToken ever be nil? And why is this causing a redirect?

Given this logic, I'm guessing it's failing to parse it

Hi are you able to share an id or email address of a user this is an issue for please?

aron.bury@gmail.com

https://jwt.io/ is showing it showing it correctly, but when running that function in the browser this is what i'm getting:
InvalidCharacterError: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.
at :3:23
at mn (:16:5455)

Happy to share the full data object if need be

Thanks, can you confim:

• which authentication method are you using (password / otp / social login)
• are you using any mfa methods?
• Is the redirect happening in your app / via the sdk code, i.e after your callback end point

standard email and password.
No MFA
the redirect appears to occur somewhere in your SDK, It's not making it to my callback

There is something malformed with the token returning for this (and a few other) users

sorry, JWT is showing an invalid signature

The alg in the token is specified as RS256, which doesn't look correct

I have a token from a working user and a non working user. Is there a way for me to share them securely with you

The token for aron@cocredit.com.au is working, the token for aron.bury@gmail.com is not

I'm a liiiiiiiitle bit concerned about this tbh

We are investigating now. If possible can you DM me the tokens please?

Thanks Daniel, pm'd now

Ok, some good news. I've just tried updating @kinde-oss/kinde-auth-react from 3.0.20 to 4.0.1 and that appears to have done the trick

the jwtDecode function in this version looks much more robust

Attempting a deploy now to see if this is fixed on production, difficult to verify on localhost as prod API's are blocking

Still worth looking into on your side, the fact that random tokens can't be decoded is pretty concerning

OK that's good to know, we'll continue to investigate the issue in the earlier version. Could you send a revised jwt token for the user that was previously broken if possible please

I can, but I'd expect it's just due to the jwtDecode function in that library

It can decode some versions but not others

The two tokens you send , were they from the same environment?

Yes

same app same env

Confirming this works on production

Great thanks for confirming

Hi team, has there been any update on this? Appreciate that updating the client has fixed it, but I'm pretty concerned that this occurred and we had no notification about it, and it took me digging into your client side SDK to resolve it

Hey thanks for the detailed breakdown. shared the two tokens with me, I’ve ran the old decoder logic on both of them and they both seem to parse fine in the browser (tested Firefox and Chrome), which browser was badToken failing to parse in?

Hi Dave,
Can you share the code you're using to parse them? I tested it in multiple browsers (chrome, firefox, safari) and they're all producing the same result

const response = JSON.parse(atob(goodUserToken.split(".")[1]))

I'm getting the same results when I step through your SDK and paste into the browser console, the functions are fairly standard so I wouldn't expect any differences in their internal implementation

Hmm I used this also and parsing was fine for both

const response = JSON.parse(atob(goodUserToken.split(".")[1]))

Not sure what else I can say mate. I've had it confirmed happening on multiple browsers across multiple users and multiple tokens

Keen to get to the bottom of it, do you have a couple of minutes for a call?

Not right now sorry but I'm happy to chat during business hours tomorrow

Ah cool, are you in AU?

yep

Cool, I’ll hit you up tomorrow. Thanks again for all the digging

no stress