Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history
Co-authored-by: Adam Mcgrath <adam.mcgrath@auth0.com>
  • Loading branch information
frederikprijck and adamjmcgrath authored Sep 15, 2023
1 parent dd5e089 commit c6a8e70
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,9 +102,9 @@ new Auth0Client({
## Why is isAuthenticated returning true when there are no tokens available to call an API?
As long as the SDK has an id token, you are considered authenticated, because it knows who you are. It might be that there isn't a valid access token and you are unable to call an API, the SDK still knows who you are because of the id token.

Authentication is about who u are (id token), not what you can do (access token). The latter is authorization, which is also why you pass the access token to the API in the Authorization header.
Authentication is about who you are (id token), not what you can do (access token). The latter is authorization, which is also why you pass the access token to the API in the Authorization header.

So even when the refresh token fails, or `getTokenSilently` returning nothing, that doesn't impact the existence of the id token, and as a consequence of that, the authentication state. So it's expected for isAuthenticated to stay true in that case.
So even when the refresh token fails, or `getTokenSilently` returns nothing, that doesn't impact the existence of the id token, and as a consequence of that, the authentication state. So it's expected for isAuthenticated to stay true in that case.

On top of that, the SDK can have multiple access tokens and multiple refresh tokens (e.g. when using multiple audience and scope combinations to call multiple API's), but only one id token.
If there are multiple access and refresh tokens, and one of the refresh tokens fails, it doesnt mean the other access tokens or refresh tokens are invalid and they might still be perfectly usable.

0 comments on commit c6a8e70

Please sign in to comment.