Hello Auth0 team, I am seeing an issue in my application (which is using the Classic Universal Login Page, and auth0-react to interface with Auth0) very similar to this thread but there is no resolution posted.
How was this issue resolved?
I have set my application default login URIs and my tenant inactivity timeout set to 3 days, and am seeing the following behaviour:
User has browser window open on login screen overnight (or some extended period of time)
User enters correct login credentials for username-password login
Browser redirects to https://<tenant URL>/login/callback and receives 403 (“Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).”) if the app has OIDC Conformant flag enabled, otherwise receives 400 (“Unable to validate session-bound result token.”).
Generic error page is displayed.
Upon clicking the browser Back button, Auth0 redirects to the correct default login URI and users are able to login properly after that point.
I have been scouring the docs for days trying to resolve this, but I haven’t found much outside of the above post, the Default Login URIs documentation, and “refresh the page”. Would really appreciate some help on this. Thank you!
To confirm, your users are leaving the login page open for an extended period of time, which causes the login to be rejected when they finally attempt to submit their username and password.
I would expect this behavior, because the state of their initial request to authorize has expired. Your app needs to start a new request to authorize with a fresh state.
You could try redirecting them to your own error page (Customize Error Pages) or restart the transaction when you see this specific error.
Also, feel free to leave us some Feedback on this topic.
Yes, that’s what’s happening. The ideal behaviour for my app would be an error message on the login page itself rather than redirecting to an error page - this was the behaviour of our previous auth provider.
You mention
restart the transaction when you see this specific error
Would this be controlled within the Auth0 library that we’re making the login from, or is this handled within an Action, or something else altogether? I’m not sure where in the stack you’re referring.
