Mobile App Failing with "Password login via OIDC-conformant clients with externally-hosted login pages..."

Problem Statement

When logging in using Universal Login, the following error occurs:

<em>error code: access_denied
error description: Invalid state
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).</em>

How can this error be resolved?


The user is redirected to the default login URI if it is configured application level or tenant level.


The state mismatch error on mobile apps usually happens due to cookie failures. Unfortunately, cookies are not recorded in tenant logs due to security concerns, which makes it difficult to troubleshoot cookie-related issues.
Here are the most common scenarios where the state mismatch issue can happen.

  1. The browser discards the Auth0 Session cookie. Here are a few potential reasons for this:
    a. The user’s first-party cookies are disabled.
    b. The total cookie size and number exceeds the supported size number of the browser. Note there are slight variations between browsers in terms of both the maximum supported cookie size and the number of permitted domains. For the latest information, consult the browser vendor’s documentation.
    c. If you are using a custom domain, a user visiting some pages on ‘’ may set some cookies on the browser which are accessible on the login subdomain ‘’. As a consequence, the mobile app opening the login domain on the same browser may result in the Auth0 cookies (auth0, auth0_compat) not getting set, which could cause this issue.
    d. Apple Safari’s Intelligent Tracking Protection (ITP) blocks first-party cookies when it detects/thinks that the cookies are for tracking purposes. For further information, refer to Safari Privacy Overview.
  2. The user bookmarks the login page and opens the login page directly. (This usually happens for web apps)
  3. Multiple login pages are opened simultaneously on the same browser. (This usually happens for web apps).
  4. The user clicks the back button on the login page. (This usually happens for web apps).


Suggested actions:

  1. When using a custom domain, the cookies from the base domain should not be available for the sub-domain that is used with your custom login domain. This is possible to implement with the host-only cookie type, where the request’s host must exactly match the domain of the cookie.
  2. Check that the browser’s maximum supported cookie size.
  3. For native iOS apps, using the ephemeral sessions may also be helpful as the Auth0 cookies are removed every time after the login is completed. This can help to have the browser in a good state for these cookies. For more information, refer to the Auth0 Swift FAQ .

Related References