Overview
After authenticating, the user sees multiple redirects until the browser shows the message:
You were redirected too many times.
Applies To
- Authentication
Cause
This can be caused when an application triggers an automatic redirect to the /authorize endpoint on the tenant when no authentication is required.
For example, if the callback endpoint on the application is a protected page, a race condition can occur where the successful login response arrives at the callback endpoint, and the application automatically redirects the user to authenticate as they don’t currently have an application session, instead of processing the login response and creating a local session.
Solution
The callback endpoint on an application should not require authentication, as it will often receive requests from users who are not authenticated as part of the login flow. This is particularly true in SPA frameworks, where loading the page triggers lifecycles and can lead to race conditions.
- Check for automatic redirects to the /authorize endpoint in the applications to ensure the requests are only sent when absolutely required.
- Check if actions may be denying access, but the application is not processing the access_denied error appropriately. See Login Action - api.access.deny and api.redirect.sendUserTo Looping after Call for more details.