Missing client parameter

Please help I just started getting this error and noting changed in my side

Search for clients or features
Notifications bell
Help & Support
Documentation
Talk to Sales
play-coin
Dashboard
Clients
APIs
SSO Integrations
Connections
Users
Rules
Hooks
Multifactor Auth
Hosted Pages
Emails
Logs
Anomaly Detection
Analytics
Extensions
Get Support
Logs
Summary
Occurred 3 minutes agoat 2018-03-16 09:52:59.086 UTC
Type Failed Login
Description missing client parameter
Connection
Application
User
Raw
Context Data
{
“date”: “2018-03-16T09:52:59.086Z”,
“type”: “f”,
“description”: “missing client parameter”,
“connection_id”: “”,
“ip”: “41.162.37.84”,
“user_agent”: “Mozilla/5.0 (Linux; Android 7.0; LG-H990 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mobile Safari/537.36”,
“details”: {
“body”: {},
“qs”: {
“state”: “6KQivi0bZObQ1SAng2ZsIr4rwbdikbtL”
},
“error”: {
“message”: “missing client parameter”,
“oauthError”: “invalid_request”,
“type”: “request-error”
}
},
“hostname”: “xxxxxxxxxx.eu.auth0.com”,
“log_id”: “90020180316095259086791065061152130280202273305692995634”
}
NOTIFICATIONS View all
You have no new notifications.

I’m receiving the same error. No code changes and just began getting this today.

Lately we have introduced a modification in the redirection between /authorize call and /login call that needs to keep the user session in order to work. For a normal end user that will work without any issue, however, we have seen tons of errors coming from User-Agents like Java and other tools that are not browsers. If you have an automated tool you will need to be sure that the tool keeps the session.

This was 100% happing from auth0.js running in Chrome browser. In any event this makes me nervous using this solution going forward, how can it work one day and the next throwing errors? This will loose sensitive customers for sure! There should be protocol’s ensuring this never never never happens with an authentication system…

Thank you for the verification - let me go back and see if I can track down what happened. Can you send me your tenant name so we can investigate? A DM is fine if you would prefer

It’s keeping several of our users from login in. We’re not using any automated tools, these are internal users/admins. Auth0 marked the incident as resolved yesterday but we’re still experiencing the issue. Tenant “pwnhealth”. Please advise.

Thanks for the info - I am checking internally and will get back with you as soon as I know something.

Hello Warren,

we are experiencing a simular problem when our MFA wants to send a push notification.
It’s stuck on the loading page and sometimes a browser refresh is producing your ‘missing client parameter’ error in the Auth0 log.

We’ve narrowed it down to a combination of an Android OS and the google Chrome browser.
Any onter combination works fine. No errors and no problems login in.

We will be creating a new ticket but wanted to let you know.

Cheers,
Dennis

I’m having the same issue. Started this morning and preventing several clients from logging in.

So with this issue, quite often we see this happen when someone has bookmarked the login page and then try to hit that page - which will eventually not work after the session has expired - the login page is not meant to be bookmarked as it is shown as part of a non-repeatable OAuth 2.0 transaction.

Accessing /login will not work after April 1 as we deprecate old endpoints and instead push towards /authorize instead.

Is it possible to just route the user to the intended URL when this happens? We have some users that are not that technically savvy and are having issues like this. It would be easier if the login site just routed back to the original site instead.

Just to let you know. There are no bookmarks involved when looking at our problem.
The interface just keeps loading which in some cases result in a ‘missing client parameter’ error after a refresh.
And the problem only occurs on Android in combination with the Chrome browser.

To better provide an answer as to what is going on, and what changes should be made (@warren1 / @jnovak / @athome / @dennis1 / @jaliperti1 / @gmilow ), we need to know what/how you’re using Auth0, essentially the usecase. Feel free to DM me if you would prefer.

For instance, @athome where is that URL coming from? You can enter into /login with same values as before or be redirected by /authorize. Both, currently work. But if you’re making requests directly to /login that will need to change, otherwise some people may periodically see issues related to a lost session when the redirect comes to /authorize

Hi Jeremy, attached a screenshot of where we get stuck in the proces. It’s the out of the box 2FA authentication provided with Lock and Gardian. The screenshot is with Android and Chrome and with those we have the issues. Not always but nine out of ten. We happily provide you with more details if so required.

Screenshot_20180321-191935288×576 12.4 KB

I used a tutorial I found on your site using auth0.js as is. Using it through a web. 100% No bookmarks. Also it was working perfectly for the last 2 month’s and started happening without making any changes.

Hi Jeremy, attached an image which contains some more technical information.

image1920×1040 101 KB

Ok so here’s the information I have received around this. This isn’t an outage, but is instead around making sure everyone is using secure clients and best practice. Clients need to be utilizing the /authorize endpoint properly, and in turn will be logged in properly. The /login endpoint is not a documented part of our API and should not be used. The proper process is identified here.

I am using it exactly the same way as described:

(function () {
  var webAuth = new auth0.WebAuth({
    domain: 'xxx',
    clientID: xxx'',
    redirectUri: xx'',
    responseType: 'id_token',
    scope: xx''
  });

  var loginBtn = document.getElementById('btn-login');
  loginBtn.addEventListener('click', function (e) {
    e.preventDefault();
    webAuth.authorize();
  });

  function handleAuthentication() {
    webAuth.parseHash(function (err, authResult) {
      if (authResult && authResult.idTokenPayload) {
        window.location.hash = '';
        alert('your user_id is: ' + authResult.idTokenPayload.sub);
      } 
    });
  }

  handleAuthentication();
})();

NOTE:

I am using with https://cdn.auth0.com/js/auth0/9.2.2/auth0.min.js

That’s not the issue for us either, we’re redirecting to /authorize. For instance, when the user visits an authenticated URL (labs.pwnhealth.com), they’re redirected to the URL below, per tutorial/documentation on the Rails SDK. Again, this issue never happened in several months since we implemented Auth0 for authentication, and started happening at the time of the incident mentioned previously. Even though the incident was closed, we continue to experience the issue.

https://pwnhealth.auth0.com/authorize?audience=https%3A%2F%2Fpwnhealth.auth0.com%2Fuserinfo&auth0Client=eyJuYW1lIjoib21uaWF1dGgtYXV0aDAiLCJ2ZXJzaW9uIjoiMi4wLjAifQ%3D%3D&client_id=h5d9aF3VkOyHyzS7MLpP0ERzCawRmrLP&redirect_uri=https%3A%2F%2Flabs.pwnhealth.com%2Fauth%2Fauth0%2Fcallback&response_type=code&scope=openid+profile&state=dfa3be12d91b2a8a79cdf3ae317555fe6315f3b3bd2973fc

One of my users started experiencing this yesterday as well, and continues to today. Just this one specific user (there are only about ten users total), no other users see the error. For this user it doesn’t happen 100% of the time, sometimes they can login just fine.

My use case is very simple, I’m only using Username-Password-Authentication connection, no other social logins. I’m using the PHP-SDK, version 5.1.0. My code looks almost exactly like that in the setup docs: Auth0 PHP SDK Quickstarts: Login

I’m also using the hosted pages for login, so I haven’t built my own. Thus I don’t have any code which calls endpoints myself, nor am I using Lock, etc.