React SPA and "access_denied: Password login via OIDC-conformant clients with externally-hosted..."


I have a React SPA and added in Auth0 using the sample app provided. I keep getting this error, maybe 90% of attempted logins.

access_denied : Password login via OIDC-conformant clients with externally-hosted login pages is unsupported. Alternatively, login could have been initiated from the wrong place (e.g., a bookmark).

I’m not using externally hosted pages; I’m using the Auth0 provided dialog.

What does this error mean? Why am I getting it? Are the sample apps out of date?


Hi @jeffeld!

Welcome to the Auth0 Community!

Take a look at this response to a similar problem.

Let me know if this helps,

Hi Dan,

Thanks for taking the time to reply; much appreciated.

I did have a look at some of the other issues where this error was being generated, but as I’m using the auth0-js npm module I’m not calling any endpoints directly.

I have figured out a rock solid repro case. The React sample app Auth0 supplies calls the login/logout methods in response to to a button click (and this works ok). My app calls the login/logout methods like this:

class SignInUi extends React.Component{
    render () {
        return null;
    componentDidMount(): void {
        // Show the sign-in dialog

I did this so that login/logout can be called directly from the browser as a route. And this is the problem.

I feel that my use case is valid and the problem lay within the SDK.

I’d be interested to know your thoughts.

Many thanks,

EDIT: For the moment, I’m doing the same as the sample app but I’d like to be able to implement login/logout via routes and not click handlers.


Sorry for the delay in response.

Are you having any luck figuring this one out?