Hi everyone.
I’ve been investigating this issue and I believe it’s caused by a behavior in Facebook’s login page which ends up making two consecutive requests to Auth0’s callback URL (e.g. https://yourtenant.auth0.com/login/callback
) under certain circumstances.
As you know, Auth0 acts as a client application for Facebook, in a separate OAuth2 conversation that happens when the user clicks on Facebook as the desired authentication method.
- The user was not logged in before
- The timing is just right so that the moment after the user clicks “Log in” in Facebook’s login page (when the browser is redirecting but the page didn’t unload yet) coincides with an automatic login process set by Facebook.
From the Auth0 point of view, this is seen as an attempt to send two consecutive responses to the same authentication request, which is invalid from an OAuth2 perspective and causes the error displayed by Auth0.
I’ve reported this to Facebook at Log into Facebook if you are curious for more technical details and want to check for outcomes.