How to Test changes to Maximum Expiration Time for Login Transactions Deprecation

Problem statement

On October 17, 2023, the maximum lifetime of 1 hour for the below flows will be introduced:

• Authorization Code Flow
• Authorization Code Flow with PKCE
• Cross-Origin Authentication
• Device Authorization Flow
• Hybrid Flow
• Implicit Flow with Form Post
• Security Assertion Markup Language (SAML)
• Web Services Federation Protocol (WS-Fed)

In order to customize the Auth0 error page and handle this use case please provide additional guidance on:

  • Which error code to expect when a transaction expires? Which error codes are available?
  • How to test this use case without waiting 3 days/1 hour for the transaction to expire?


  1. In the case where a default login route is not configured at the tenant level or for the application the user was attempting to login, an “invalid_request” error will occur.

In the absence of a custom error page URL configured for the tenant, the generic error page “Oops something went wrong” will show and the technical details section will have the following:

invalid_request: You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn't find your session. Try logging in again from the application and if the problem persists please contact the administrator.

For a custom error page URL configured, Auth0 will redirect the user to that page, and it will receive something like the following with the same error and error_description URL encoded:


If there is a default login route configured , there will be no error and instead Auth0 will redirect the user to the default login route, which should be configured to be a page the user can initiate a fresh /authorize request from and thus allow them to log in successfully.

  1. In order to trigger the error earlier, open 10+ tabs in the same browser window and trigger the application’s /authorize call in each tab but not logging in, leaving the tab open. Then return to the first tab that was opened and attempt a login, this should cause the error as that tab’s state value should have been overwritten early by that point by the other /authorize requests.

Alternatively use a proxy tool like BURP suite to intercept the POST to the login page with the user’s credentials, and alter the state value sent so it is invalid before passing it on to Auth0.