Hi there,
Some of our users are bookmarking our hosted login page and having trouble logging in as a result of the nonce check. Our callback handler redirects the user to the login page again if the state is not valid during the parseHash call on the callback url. This flow is not ideal as the user has to provide their username and password twice.
What we are considering doing is to detect whether or not the user has been redirected to the login page from our application using document.referrer. The flow would be something like the following:
- User loads a bookmarked hosted login page.
- On the hosted login page we check for the document.referrer value.
- If the document.referrer value is null, we reload the login page via a redirect to our /login endpoint causing a fresh new login page.
- If the document.referrer value is not null, we were redirected from the application and we should not reload the page.
I am aware of the Application Login URI setting but using this setting complicates our deployment process quite a lot just to handle this particular scenario.
My question is whether using the method outlined above is valid/reliable and if there are any pitfalls that I should be aware of. Am I crazy for trying to implement a reload of the hosted login page in this way?