Classic Universal Login (/login) page returns 200 when given junk parameters

A customer of ours raised an issue about being unable to login. After investigating, we found some strange behavior from Auth0 that we were not expecting. Would appreciate any insight you could give us on this situation and how to handle it.

Scenario:
We use a customized Classic Universal Login loaded at https://MY_CUSTOM_DOMAIN.com/login. I attempt to navigate to the login page but supply all junk data in the query parameters:

https://MY_CUSTOM_DOMAIN.com/login?state=X&client=X&protocol=X&connection=X&audience=X&redirect_uri=X&scope=X&response_type=X&response_mode=X&nonce=X&code_challenge=X&code_challenge_method=X&auth0Client=X

Expected Behavior
Either Auth0 shows an error page or else redirects me back to my default login URL as described here: Configure Default Login Routes

Actual Behavior
Auth0 loads the login page normally (200 response). Attempting to login from the page returns a 404 error from the /usernamepassword/login route.

Hey @cmcgowan,

I’ve tried to reproduce the behaviour you are experiencing and described but had no success. After appending /login?state=X&client=X&protocol=X&connection=X&audience=X&redirect_uri=X&scope=X&response_type=X&response_mode=X&nonce=X&code_challenge=X&code_challenge_method=X&auth0Client=X to my custom domain, I just get redirected to my default login route.

You’ve mentioned that Auth0 loads the login page normally. I find that very confusing since using junk parameters won’t allow Auth0 to know which login page to actually serve. You really need to provide some of those parameters. When you say the login page was loaded, do you mean your Classic Universal Login page? From my point of view, that might not be possible with junk parameters.

In addition to what I’ve said, the expected flow would be to call /authorize and not /login. This is documented on our Authentication API documentation.

Since all this don’t make much sense to me, I would suggest you provide a HAR file while reproducing the entire flow so I can take a deeper look at what’s going on there. Please, do not forget to remove any credentials, secrets or active/valid Access Tokens that might be found inside the HAR file. You can also DM me the HAR file if you are concerned about security/privacy.

1 Like