Access_denied on sending login request more than once

Hi,

I received a bug report on my customized login page from my collages.
They occasionally encounter “oops!, something went wrong” with an error message below:

access_denied: Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).

I was able to reproduce this issue by double-clicking the login button; basically, when a block of code below get executed more than once:

webAuth.login({
    realm: DATABASE_CONNECTION,
    username: username,
    password: password
}

I am curious what the root cause of this issue is from Auth0 side.

Hello, @JamieQeexo - welcome to the Auth0 Community!

This is being caused by a race condition. When performing the login attempt, Auth0.js generated a state, but the state is being used twice because of the double click. Since states can only be used once, Auth0 errors out to prevent CSRF.

Let me know if this helps.

Hello @joseantonio.rey,

Thank you for your fast reply!

Given the fact that it is expected behavior from Auth0, do you think it is best practice for me to prevent double-click from my end then?

Hey @JamieQeexo,

Yep, indeed. I would prevent double-clicking, or to only process the first click. Otherwise, your users would be prone to hitting this race condition.

Hi @joseantonio.rey,

Thank you so much for your opinion!
I will reach out to you if disabling double-clicking do not prevent this race condition.

Thanks again.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.