We are using an Auth0 hosted custom login page. The page uses the latest Auth0.js library (v.9.8.2) and we use the webAuth.authorize() method for facebook logins.
This worked consistently for us for over a year but suddenly stopped working in early November (Nov 12 possibly).
Now, when we login with facebook , instead of being taken to the page specified by our redirect uri, we get the Auth0 error page:
_Oops!, something went wrong _ You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn’t find your session. Try logging in again from the application and if the problem persists please contact the administrator.
Login works as expected when we already logged in to Facebook(so after the first attempt it will work fine).
Hello @andreamontoya. On the “Oops” page there’s a link to show additional details. Can you expand that and report the details here? Not sure I can help you but the details may be useful to others.
**invalid_request** : You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn't find your session. Try logging in again from the application and if the problem persists please contact the administrator.
Hey there @andreamontoya, like @markd mentioned we would like to see if you have any additional log information or details on the error you are receiving on the challenge you’ve been experiencing? Thanks in advance!
The Auth0 logs show both a Success Login and a Failure Login (with the error shown above) whenever we attempt to login with Facebook.
What we see in the network tab: After Facebook redirects to Auth0 and Auth0 redirects to our site, we for some reason get redirected to Facebook which attempts to do an exchange with Auth0 again.
We assumed there was some issue in the callback on our own site but after testing this locally, we found that we see the Auth0 error page before even entering that function.
When you get a chance @andreamontoya can you snag us a HAR file when reproducing the workflow that produces the error. Once you got it please DM it over to me and I’ll be happy to take a deeper look at what may be going on. Thanks!
@giffon it seems like your application may not be handling the callback correctly. It appears to be calling Auth0’s callback twice with the same code and we are seeing a successful code and token exchange. This means you are getting an initial login successfully once, but the second time it produces the error you are experiencing.
Hi everyone.
I’ve been investigating this issue and I believe it’s caused by a behavior in Facebook’s login page which ends up making two consecutive requests to Auth0’s callback URL (e.g. https://yourtenant.auth0.com/login/callback) under certain circumstances.
As you know, Auth0 acts as a client application for Facebook, in a separate OAuth2 conversation that happens when the user clicks on Facebook as the desired authentication method.
The user was not logged in before
The timing is just right so that the moment after the user clicks “Log in” in Facebook’s login page (when the browser is redirecting but the page didn’t unload yet) coincides with an automatic login process set by Facebook.
From the Auth0 point of view, this is seen as an attempt to send two consecutive responses to the same authentication request, which is invalid from an OAuth2 perspective and causes the error displayed by Auth0.
I’ve reported this to Facebook at Log into Facebook if you are curious for more technical details and want to check for outcomes.
Facebook informed on the support ticket that a fix for this has been released. For those of you that were able to reproduce easily, would it be possible for you to test this out and share your results?
If you still see issues, I’d appreciate a .HAR file that captures the whole authentication attempt. Remember that .HAR files will contain your Facebook password, so remember to edit that out before sending (it’s a simple JSON file, so just search for your password and delete it).