Clicking ‘Confirm’ or 'Cancel' Button Multiples Times in the Device Confirmation Screen Causes Inconsistent Behavior

Knowledge Solutions
1

Problem statement

Clicking the ‘Confirm’ or ‘Cancel’ buttons multiple times in the Device Confirmation screen during the Device Auth Flow causes the following error in Chrome and Brave browsers:

invalid_request: You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn’t find your session. Try logging in again from the application and if the problem persists please contact the administrator.

The same issue may also generate the following error in the dashboard logs:

A user has attempted to access a login page directly. This is not supported unless an “Application Login URI” is set for your application, or a “Tenant Login URI” is set for your tenant. For more information, see: Configure Default Login Routes

image
image1028×1300 49.4 KB

In Firefox, this issue doesn’t occur, the ‘confirm’ button can be clicked multiple times and the user is still presented with the next Auth0 modal to enter your credentials.

Steps to reproduce

Using the New Universal Login, start a device flow:

curl --request POST \
  --url 'https://{{yourDomain}}.auth0.com/oauth/device/code'; \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'client_id={{client_id}}' \
  --data scope=openid+profile+offline_access \
  --data audience={{audience}}

This returns the following:

{"device_code":"NdfzApX3vYXhLtLPjfG1KR5l","user_code":"SPXH-GBGR","verification_uri":"https://{{yourDomain}}.auth0.com/activate","expires_in":900,"interval":5,"verification_uri_complete":"https://{{yourDomain}}.auth0.com/activate?user_code=SPXH-GBGR"}%

Open the link received with verification_uri_complete in Chrome and click on the Confirm or Cancel button a few times quickly.

Cause

This is a known issue with the Device Confirmation widget, which is currently in the backlog.

Solution

Please share feedback with the product team to help with prioritization.

For paid customers using a custom domain, a workaround to prevent clicking these buttons multiple times can be implemented with a Javascript code using universal login page templates.

This sample can be used as a starting point while implementing the solution. Please note that the solution depends on some internal HTML attributes on the page. A name change may break the code, leading to login issues.