Summary
Hello,
We are maintaining a cross-platform app using the Ionic framework and Capacitor/Cordova plugins. In the Android app various of our users experience the issue mentioned already in your FAQ post: Mobile App Failing with "Password login via OIDC-conformant clients with externally-hosted login pages..."
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).
Technical
The type of login experience used in the app is the Classic Universal Login Experience with custom css for branding.
In the code we 're currently using the Auth0.js v9 library v9.19.1 but the issue still happens with an older build using v9.16.4 for example.
Specifically we 're using Authentication.buildAuthorizeUrl(options) which returns an auth0 url of the /authorize kind.
The options we’re passing to that function are as follows:
{
clientID,
redirectUri: (The app's deep link scheme that handles login, given the Authorization Code),
responseType: code,
code_challenge,
code_challenge_method: 'S256',
scope: 'offline_access openid profile',
audience
}
That url gets opened with the default browser on the device (using Capacitor’s Browser plugin) at which time the auth0 /authorize link gets automatically redirected to a /login link.
Story
The user is presented with the universal login screen in order to input an email and password, and having written the information to each form field, taps the Login button.
Instead of getting redirected to the url scheme (and therefore the app itself), the “Oops” page is shown with the aforementioned error.
What’s peculiar is that, without making any changes to the app or browser configuration, if the user retries logging in by closing the browser window and restarting the flow (url generated → browser opened), the login will work fine the second or the 3rd time, which means that the issue is a bit random. It might or might not appear.
Please can we get some guidance if there is a misconfiguration on our part or this is a known issue and if so, is there any known workaround we can deploy as users fail to login in our app?