Would like to bump this thread a bit, since the limitation is an inconvenience to a lot of users.
I’d like to point out another user flow where this nonce check fails (although I’m not sure why):
- User enters their e-mail and sends a magic link
- They now switch Chrome/Google profiles (which opens up a new “instance” of Google Chrome)
- Even though they still use the same browser on the same device, the nonce check fails since (I presume) Google keeps cookies and other storage means separate for profiles.
This is a very common scenario for people using both their personal and corporate Google profiles/accounts in Chrome
and has caused us a lot of headache solely because we decided to use auth0 for our auth provider.
This is a similar issue in principle as with Increase inactivity timeout - #6 by jbrinkman,
where auth0 dictates the level of security without compromise for its users, even though it sacrifises the end user’s UX (or even ability to use the login…)
I’d also be interested in an answer to the question @heidi asked - does this check apply to a OTP/code e-mail as well?
Is there any way to work around this? The only option we see atm is to set up our own auth microservice that replicates auth0, but lacks this limitation…