I’m trying to pinpoint exactly the scenario but so far, this error only occurs on Firefox (I’m testing on v 68.0.1)
We have a redirect rule to move the user to a /signed-up address if is a sign up. We do this for tracking purposes, to count successful conversion. We had to do that due to Social Logins, that don’t have an easy distinction on signup x login, hence we redirect based on logins count.
However, when using Firefox to signup, email + password, sometimes after the redirection, when the application redirects to the Auth0 /continue with something like:
window.location.replace(`https://${AUTH0_CLIENT_DOMAIN}/continue?state=${ state }`
We get a 401 Unauthorized page…
Should we do something different?
Did a quick check on server logs and for the state captured in that HAR our server received two requests simultaneously so the first being processed invalidated the state and caused a 401 for the other request. Now the problem is why the two requests that per the headers are both originating from a Firefox user-agent; you may want to see if Firefox configured to use Fiddler as a proxy results in the two requests being shown.
This weekend we started to have a similar problem on Chrome but for every signup, I’m suspicious that it might got stricter or improved how the JavaScript flow works.
We figure that it was missing a return on our code to redirect the user to the /continue, hence the component was being mounted twice, and thus doing the request twice, invalidating each other.
So the fix was to add a return to the location replace:
return window.location.replace(`https://${AUTH0_CLIENT_DOMAIN}/continue?state=${ state }`