I developed a shinyapp and I deployed using shinyapps_io service. I deployed into my personal account and works fine but when I deploy it into a payed account after the login it redirects to a url like the one below, and the code and state parameters keep changing.
If you are experiencing an endless redirect loop (where the URL constantly flashes new code and state values) , it could be a symptom of a Session State Failure during the OAuth2 Authorization Code Flow.
When your paid ShinyApps environment receives the code and state from Auth0, it attempts to validate the state against what it originally stored in the user’s browser session. If it cannot find that original state (usually because the session cookie was dropped, blocked, or not securely scoped to the new paid domain), the auth0 package assumes the login attempt is invalid or malicious. It immediately rejects the login and throws the user back to Auth0 to try again, causing the infinite loop.
The transition from a personal ShinyApps tier to a paid tier often involves changes in load balancing, cookie domains, or worker processes. Could you check the following things regarding your ShinyApp implementation?
Double-check your Auth0 Dashboard → Applications → Settings. Ensure that your exact paid URL is listed in the Allowed Callback URLs : https://resplab.shinyapps.io/forecasting-cf/ (Ensure the trailing slash is perfectly matched if your app enforces it).
Paid ShinyApps environments strictly enforce HTTPS. If the underlying R session or load balancer thinks it is running on HTTP (even if the browser shows HTTPS), it might refuse to set secure cookies. Ensure your _auth0.yml file and Auth0 Application settings consistently use https:// everywhere.
Paid ShinyApps tiers often use multiple R worker processes to handle traffic. If Worker A initiates the login (saving the state in its memory) but Worker B receives the callback from Auth0, Worker B won’t recognize the state and will reject the login.
The auth0 R package needs to use a session store that is shared across workers, or you need to configure your ShinyApps deployment to use “sticky sessions” (so a user always hits the same worker).
Review the auth0 package documentation for configuring shared session storage (like saving the state in a file or database instead of RAM) if your paid tier utilizes multiple concurrent workers.