Auth0 Home Blog Docs

Hosted Login Page redirects (302)'s immediately

#1

The first time I go to my hosted login page via the /authorize url, I see a nice lock like I expect, but as soon as I have logged in it appears that the auth0 server remembers this. So if I try to go there again, I am immediately redirected (302) back to my page as if I entered the same username and password. If I clear the cookie for my hosted login page, it works again. This doesn’t happen on my old tenant but I can’t see any differences in settings that could be causing this. Does anyone have ideas how to debug this?

#2

Hi @kristian_d

New tenants have “Seamless SSO” enabled by default, where the hosted login page will be skipped completely if the user has a valid session at Auth0 (the previous behavior was to get a “Last time you logged in with …” button in Lock that allowed the user to click and login without entering credentials again, effectively using the existing session).

You can make an old tenant behave like new tenants by using the “Enable Seamless SSO” option (see https://auth0.com/docs/sso/current/setup#addendum-sso-configuration-for-legacy-tenants), but you can’t make new tenants behave like old tenants.
What you can do, if it make sense for your use case, is reduce the duration of the Auth0 session. Applications can also force the login page to be displayed by using the prompt=login parameter on the authentication response.

1 Like
#3

I am running into the same issue as kristian_d - the hosted login page redirects immediately.

I have a new tenant set up. I am using the Auth0-JS library. How can I make it so that users are forced to go to the lock screen every time? I’m not sure where I would add the “prompt=login” parameter on the authentication response.

From reading this link, it seems like I should be adding a prompt=login to the end of the /authorize API call. However I’m never calling this API directly; instead, it’s auth0.WebAuth’s call to login( ) that seems to be initiating the API call, and I don’t know how I would pass prompt=login over to the API.

#4

Figured it out.

The key is here:

When you’re calling WebAuth.authorize( ), you pass in {prompt:“login”} as the input parameter.

1 Like