auth0.js: Nonce does not match [8.2.0]

I’m using parseHash to parse the access_token returned after logging a user in and occasionally receiving an error about the nonce not matching.

this.auth0 = new auth0.WebAuth({
      clientID: clientId,
      domain: domain,
      leeway: 60 // 1 minute leeway
    });

...

parseInfo(hash) {
    return new BluebirdPromise((resolve, reject) => {
      return this.parseHash(hash, (err, authResult) => {
        if (err) {
          return console.log(err);
        }
        const {accessToken, idToken} = authResult;

        return this.auth0.client.userInfo(accessToken, (err, profile) => {
          return resolve({profile, idToken});
        });
      });
    });
  }

...

_socialLogin(connection) {
    //redirects the call to auth0 instance
    const loginParams = {
      connection: connection,
      responseType: 'token id_token',
      redirectUri: `${Config.clientUrl}/auth/callback`,
      scope: LOGIN_TOKEN_SCOPE
    };

    this.auth0.authorize(loginParams);
  }

I’m passing window.location.hash to the parseInfo function. Is there something I’m missing based on the above configuration that might sometimes return a nonce match error?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 32 (11 by maintainers)

Commits related to this issue

Most upvoted comments

FYI: in my case, the problem was that I was calling parseHash and not specifying options (as the samples e.g. https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/Auth/Auth.js#L29 do. Once I changed:

    this.auth0.parseHash((err, authResult) => {

to

    this.auth0.parseHash(window.location.hash, (err, authResult) => {

the nonce complaint went away.

+15
davidascher on May 25, 2017

Thanks @davidascher, that fixed my problem as well. Strange though as the sample Angular 2 app on Auth0 site did not include the window.location.hash.

+4
tdekoekkoek on Jun 2, 2017

I ended up changing to the following in my code: webAuth.parseHash(window.location.hash, (err, authResult) => and it seem to be ok, will do more testing tho. It must have been quite recently because I used quite a recent see here:

https://auth0.com/docs/quickstart/spa/vanillajs/01-login this is still using webAuth.parseHash(function(err, authResult) {

or is this correct?

Might just be a case of documentation that’s out of date?

+1
wpitallo on Feb 8, 2018

We’re using hosted lock and we’re experiencing the same issue, but only sometimes.

As @tiny-dancer already mentioned: the “fix” with using this.auth0.parseHash(window.location.hash, (err, authResult) => { works because it simply disables the token verification. Function parseHash accepts either callback or options object and a callback. The proper way to pass the hash would be this.auth0.parseHash({hash: window.location.hash}, (err, authResult) => { and it behaves identically to just this.auth0.parseHash((err, authResult) => {.

We noticed that sometimes function authorize will not persist generated nonce. And it leads later (after redirecting to the callback page) to the Nonce does not match error. We failed to understand why exactly it’s happening.

Most of the times it’s possible to reproduce the issue by using firefox in incognito mode.

In general, it looks like localStorage behaves strangely from time to time. It might be that authorize tries to use localStorage before it’s available.

+1
eicca on Nov 7, 2017
Read more comments on GitHub
← auth0.js: Nonce does not match
auth0.js: Upgrading to 9.7.2 causes test breakages →