@goodman I believe at this time when users are bookmarking the /login page that will happen and that behavior is expected. The issue occurs when you are making a call to /authorize URL but the
state parameter is missing. The
state parameter is used to mitigate CSRF attack and so during authentication, the application sends this parameter in the authorization request, and the Authorization Server (Auth0) will return this parameter unchanged in the response. It is recommended not to bookmark the login page. (more info if anyone is curious can be found here: https://auth0.com/docs/protocols/oauth2/oauth-state ) but I know we can’t be total control of user’s bookmarking this.
Our engineering team is aware of the challenges this causes. Improvements to this are being developed, however we can’t quite provide any ETA or commitments at this time.
In cases where this error is thrown, we could try configuring a custom error page in our application from tenant settings, then handle the error by initiating a new login by calling the /authorize endpoint.
We can send out a notification once we have progress on the changes to support bookmarking the hosted page, but as mentioned earlier I don’t really have any ETA.