We use to in our outlook popup:
createAuth0Client(state.auth0Options).then(auth0 => {
auth0.loginWithRedirect({
redirect_uri: state.auth0Options.dialogRedirectUri
})
});
When user type incorrect credentials auth0 do POST to
https://…eu.auth0.com/u/login?state=…
that return 400 (Bad Request)
But this is error can broke behaviour for some specific place or browsers, for example: in Popup for Outlook Desktop.
This is return 400 (Bad Request) because the user types an incorrect password, this is your normal behavior because it was posting your form (you can try it). Usually, it’s OK. But for example in outlook popup, you cannot do this way, because outlook sees that it was a Bad Request for some post request.
I thinking you should return Code 200 with details that incorrect credentials. Because request is correct, but user credentials is not correct.
It looks like this is defined in the OIDC spec as follows:
If the End-User denies the request or the End-User authentication fails, the OP (Authorization Server) informs the RP (Client) by using the Error Response parameters defined in Section 4.1.2.1 of OAuth 2.0 [RFC6749]. (HTTP errors unrelated to RFC 6749 are returned to the User Agent using the appropriate HTTP status code.)
But anyway Microsoft Outlook application detected that your page has 400 (Bad Request) and hides your page and displays an error message. So, How your form send this post to the server? Use what? Can I see the code? Or this is just form submit?