Best Strategy For Handling Failed Logins

I’m using the PHP API and configuring my production social logins and I’m using the universal login.

When I login using the Facebook it fails with a single ‘Unauthorized’ message and I’m left on a url
which is https://auth0.com/continue?state=xyz.

The error is more than likely due to a misconfiguration - but that’s not what this post is about.
If I now go back to my website and attempt to login again I don’t see the universal login - I’m simply presented with the same ‘Unauthorised’ message and I’m now on the same url.

If I clear my PHP session id/cookies in the browser the same thing happens.

From a user journey point of view - if a login has failed I would expect to see the universal login screen again when I click ‘login’, not an attempt to log me again in using the previous credentials.

How do I handle this scenario?

The error in question is likely indeed a misconfiguration; if you’re using social connections a good first step for anything beyond a simple try login in the dashboard is to confirm that the social connection is configured with your own keys. As in, not using developer keys (https://auth0.com/docs/connections/social/devkeys) as those can be a source of issues in some scenarios.

In relation to the question itself, I’m afraid it may be slightly complicated. A login may fail at distinct stages, in particular, if it involves a social provider you can roughly think of the following stages:

  • a login session at the client application.
  • a login session at the Auth0 domain (which is acting as an authentication broker).
  • a login session at the upstream provider.

In addition to that, within each of the above there can also be different mini-stages; for example, the login flow in Auth0 may also include MFA, consent, redirect rules. With all of this in mind a definitive answer to the question may be complex because depending in which stage it fails some stages may have completed with success and as such a valid session may be established which allows those stages to be skipped in subsequent attempts.

In my opinion I would say a client application will need to be aware of the context; as in, a user tries to login and it fails. As a first option, allowing the user to simply retry the login may suffice, however, if the user chooses that and the application receives the same thing as before it may then offer a few more options or perform something differently.

For example, once an application detects what it considers is anomalous loop where repeating the operation just leads to the same outcome it may either offer an option to login with a different account where the authentication request (assuming OIDC protocol here) would include a prompt=login parameter that would force the login page in Auth0 to always be shown or it could perform a logout before attempting to retry the operation.