Mobile App Failing with "Password login via OIDC-conformant clients with externally-hosted login pages..."

lihua.zhang · October 5, 2022, 6:52pm

Problem Statement

When logging in using Universal Login, the following error occurs:

<em>error code: access_denied
error description: Invalid state
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).</em>

How can this error be resolved?

Symptoms

The user is redirected to the default login URI if it is configured application level or tenant level.

Cause

The state mismatch error on mobile apps usually happens due to cookie failures. Unfortunately, cookies are not recorded in tenant logs due to security concerns, which makes it difficult to troubleshoot cookie-related issues.
Here are the most common scenarios where the state mismatch issue can happen.

The browser discards the Auth0 Session cookie. Here are a few potential reasons for this:
a. The user’s first-party cookies are disabled.
b. The total cookie size and number exceeds the supported size number of the browser. Note there are slight variations between browsers in terms of both the maximum supported cookie size and the number of permitted domains. For the latest information, consult the browser vendor’s documentation.
c. If you are using a custom domain, a user visiting some pages on ‘custom-domain.com’ may set some cookies on the browser which are accessible on the login subdomain ‘login.custom-domain.com’. As a consequence, the mobile app opening the login domain on the same browser may result in the Auth0 cookies (auth0, auth0_compat) not getting set, which could cause this issue.
d. Apple Safari’s Intelligent Tracking Protection (ITP) blocks first-party cookies when it detects/thinks that the cookies are for tracking purposes. For further information, refer to Safari Privacy Overview.
The user bookmarks the login page and opens the login page directly. (This usually happens for web apps)
Multiple login pages are opened simultaneously on the same browser. (This usually happens for web apps).
The user clicks the back button on the login page. (This usually happens for web apps).

Solution

Suggested actions:

When using a custom domain, the cookies from the base domain should not be available for the sub-domain that is used with your custom login domain. This is possible to implement with the host-only cookie type, where the request’s host must exactly match the domain of the cookie.
Check that the browser’s maximum supported cookie size.
For native iOS apps, using the ephemeral sessions may also be helpful as the Auth0 cookies are removed every time after the login is completed. This can help to have the browser in a good state for these cookies. For more information, refer to the Auth0 Swift FAQ .

Related References

Cookies
Custom Domains
External: Using HTTP Cookies
External: RFC 6265 HTTP State Management Mechanism

Topic		Replies	Views
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported intermitently occuring Get Help classic-universal-login-experience , login-experience	3	328	December 11, 2024
Reducing occurrences of "Password login via OIDC-conformant clients" error Get Help oidc-conformant , hosted-login-page	5	6482	September 4, 2019
Previously working, now logins failing Get Help	3	3449	August 26, 2019
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported bookmark issues Get Help oidc , oidc-conformant	2	6832	January 20, 2021
Password Login via OIDC-Conformant Clients with Externally-Hosted Login Pages is Unsupported or Initiated from the Wrong Place Knowledge Articles classic-universal-login , application-login-uri	1	607	January 24, 2024