ASP.Net website error logging in with AnomalyDetected


Our website has all off a sudden stopped being able to log in even though no changes has been updated to the project or auth0 settings.

Our project is an mvc and we use auth0 sdk in .net to do custom login. Our version of the .net is 4.6.2 and the auth sdk version is currently 4.2.0.

The code we used to log in a user is:

            var auth0 = new AuthenticationApiClient(new Uri("https://" + ConfigurationManager.AppSettings["auth0:Domain"]));
            var redirectUri = Request.Url.Scheme + "://" + Request.Url.Authority + "/signin-auth0";
            var response = await auth0.UsernamePasswordLoginAsync(new UsernamePasswordLoginRequest
                Username = model.Email.Trim().ToLower(),
                Tenant = ConfigurationManager.AppSettings["auth0:Domain"].Split('.')[0],
                ClientId = ConfigurationManager.AppSettings["auth0:ClientIdForApi"],
                Connection = ConfigurationManager.AppSettings["auth0:ClientDatabase"],
                ResponseType = "code",
                RedirectUri = redirectUri,                    
                Password = model.Password,
                Scope = "openid email"                    

and all of a sudden today we are now getting an exception when auth0.UsernamePasswordLoginAsync is invoked with this error:

 Error: "AnomalyDetected",
 ErrorCode: "access_denied",
 Message: "Invalid state",
 StatusCode: 403

Any help would be appreciated.


Hi @ready1

UsernamePasswordLoginAsync uses the /usernamepassword/login endpoint. This endpoint was deprecated at the beginning of 2018, so that it can’t be used except in the hosted login page. It was marked as obsolete in the .Net SDK and later removed.

I’m surprised it worked so long for you, TBH. In any case, the recommended path for ASP.Net MVC (pre .Net Core) apps is to use the OWIN OpenIdConnect middleware (as exemplified in our OWIN quickstarts), which handles all the OIDC protocol for you. See for more details.