Password login via OIDC-conformant clients with externally-hosted login pages is unsupported intermitently occuring

truescope · April 30, 2024, 7:00am

Hi
We have an issue where, if you leave our web app open for a few hours, it seems to randomly break the login page. For example

visit the app and get redirected to the sign in page
attempt to sign in, works fine, redirects the user to the app
leave the web app open for a long period of time
eventually, the token can’t be refreshed so it redirects the user to the login page
when you try logging in, you get this error

“Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).”

But if you reload sign in page, the login works fine. Just the first attempt fails.
I have a HAR file, but i do not wish to share it publicly. Is there someone who can assist with this to inspect whats going wrong?

I’ve tried

ensuring that the tenant level redirect uri is set and valid
ensuring that the application’s redirect uri is set and valid
getAccessTokenSilently({ redirect_uri: ‘…’ }) is set and matches the redirect uri

I can’t reproduce the issue exactly every time, but our auth0 logs are full of this error. I’ve tried scouring the forums with no luck. Any suggestions?

truescope · November 7, 2024, 11:34pm

Hey - I still have users experiencing this issue from time to time and its very frustrating. Is anyone from Auth0 able to help ? Urgently need assistance. A user experienced this issue yesterday and I was able to find the details in the auth0 log. I’ve [omitted] information that may be sensitive. But if an engineer needs the original, we can arrange it privately.

{
  "date": "2024-11-07T05:33:06.152Z",
  "type": "f",
  "description": "Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).",
  "connection": "app",
  "connection_id": "[omitted]",
  "client_id": "[omitted]",
  "ip": "[omitted]",
  "user_agent": "Chrome 130.0.0 / Mac OS X 10.15.7",
  "details": {
    "body": {
      "wa": "wsignin1.0",
      "wresult": "[omitted]",
      "wctx": "{\"strategy\":\"auth0\",\"auth0Client\":\"[omitted]\",\"tenant\":\"[omitted]\",\"connection\":\"app\",\"client_id\":\"[omitted]\",\"response_type\":\"code\",\"scope\":\"openid profile email\",\"redirect_uri\":\"[omitted]\",\"state\":\"[omitted]\",\"nonce\":\"[omitted]\",\"sid\":\"[omitted]\",\"audience\":\"[omitted]\",\"jti\":\"[omitted]\",\"realm\":\"app\"}"
    },
    "qs": {},
    "connection": "app",
    "error": {
      "message": "Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    },
    "session_id": "[omitted]"
  },
  "hostname": "[omitted]",
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "[omitted]",
  "tenant_name": "[omitted]",
  "_id": "[omitted]",
  "isMobile": false,
  "originalData": {
    "date": "2024-11-07T05:33:06.152Z",
    "type": "f",
    "description": "Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).",
    "connection": "app",
    "connection_id": "[omitted]",
    "client_id": "[omitted]",
    "ip": "[omitted]",
    "user_agent": "Chrome 130.0.0 / Mac OS X 10.15.7",
    "details": {
      "body": {
        "wa": "wsignin1.0",
        "wresult": "[omitted]",
        "wctx": "{\"strategy\":\"auth0\",\"auth0Client\":\"[omitted]\",\"tenant\":\"[omitted]\",\"connection\":\"app\",\"client_id\":\"[omitted]\",\"response_type\":\"code\",\"scope\":\"openid profile email\",\"redirect_uri\":\"[omitted]\",\"state\":\"[omitted]\",\"nonce\":\"[omitted]\",\"sid\":\"[omitted]\",\"audience\":\"[omitted]\",\"jti\":\"[omitted]\",\"realm\":\"app\"}"
      },
      "qs": {},
      "connection": "app",
      "error": {
        "message": "Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).",
        "oauthError": "access_denied",
        "type": "oauth-authorization"
      },
      "session_id": "[omitted]"
    },
    "hostname": "[omitted]",
    "$event_schema": {
      "version": "1.0.0"
    },
    "log_id": "[omitted]",
    "tenant_name": "[omitted]",
    "_id": "[omitted]",
    "isMobile": false
  },
  "integrityRuleset": {},
  "id": "[omitted]"
}

ale.vesga1 · December 11, 2024, 12:34am

Hi @truescope,

The solution is to use the highly recommended New Universal Login and configure the default login route. I’ve attached the relevant documentation below:

Hope this helps!

system · December 25, 2024, 12:34am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Previously working, now logins failing Help	3	3447	August 26, 2019
Password Login via OIDC-Conformant Clients with Externally-Hosted Login Pages is Unsupported or Initiated from the Wrong Place Knowledge Articles classic-universal-login , application-login-uri	1	555	January 24, 2024
Expired Login page Error Help classic-universal-login-experience , login-experience	1	36	November 29, 2024
"Password login via OIDC-conformant clients..." Help	17	20238	April 19, 2019
Password login via OIDC-conformant clients with externally-hosted login pages is unsupported bookmark issues Help oidc , oidc-conformant	2	6724	January 20, 2021

Password login via OIDC-conformant clients with externally-hosted login pages is unsupported intermitently occuring

Related topics