Mobile App Failing with "Password login via OIDC-conformant clients with externally-hosted login pages..."

Problem Statement

When logging in using Univeral Login, the following error occurs:

<em>error code: access_denied
error description: Invalid state
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).</em>

How can this error be resolved?

Symptoms

The user is redirected to the default login URI if it is configured application level or tenant level.

Cause

There is not a single reason for this issue. Here are some known ones:

The state mismatch error on mobile apps usually happens due to cookie failures. Unfortunately, cookies are not logged in our logs due to security concerns, so it is difficult to troubleshoot cookie-related issues.

Here are the most common scenarios where the state mismatch issue can happen:

  1. The browser discards the Auth0 Session cookie. Here are a few potential reasons for this.
    • The user’s first-party cookies are disabled.
    • Apple’s Safari ITP blocks first-party cookies when it detects/thinks that the cookies are for tracking purposes. Check the “What is Intelligent Tracking Prevention” section in this doc.
    • The total cookie size and number exceeds the supported size number of the browser. If you are using the custom, a user visiting some pages on custom-domain.com may set some cookies on the browser which are accessible on the login subdomain (login.custom-domain.com). Then the mobile app opening the login domain on the same browser may cause the Auth0 cookies (named auth0, auth0_compat) not to get set, which could cause this issue.
  1. The user bookmarks the login page and opens the login page directly. (This usually happens for web apps)
  2. Multiple login pages are opened simultaneously on the same browser. (This usually happens for web apps)
  3. The user clicks the back button on the login page. (This usually happens for web apps)

Solution

Here are some recommended actions:

  1. When using a custom domain, the cookies from the base domain should not ideally be available for the sub-domain used with your custom login domain. This is possible to implement with the host-only cookie type.
  1. Check if you are within the cookie limits.
  1. For native iOS apps, using the ephemeral sessions may also be helpful as the Auth0 cookies are removed every time after the login is completed, which can help to have the browser in a good state for these cookies.