Similar to a few others on here, we are experiencing an issue where our redirect rule (for custom MFA) passes back to the /continue endpoint only to encounter a 401 Unauthorized response which does not redirect to our OIDC callback URL, but simply stops dead, showing the text “Unauthorized” in the browser.

It doesn’t happen reliably, but seems more likely if we wait too long on our MFA pages, before redirecting back to Auth0.

HAR file (284.5 KB) - heavily obfuscated/redacted

What I have learned already:

• Seems to be timeout-related; if we wait on our custom MFA verify page for over 60 seconds (roughly), we are far more likely to trigger the Unauthorized error on /continue.
• Nothing shows up in the Auth0 console log about this.
• None of the continuation rule’s console.log() statements are appearing in my Webtask monitoring session, including a console.log statement right at the beginning of the rule. I had added these statements to check whether the rule itself was triggering the Unauthorized response (it heavily validates the incoming information and returns UnauthorizedError when necessary.)
• The /continue request is conspicuously not redirecting back to our OIDC login callback URL (at least if it did, we could try to handle the problem there…)
• UPDATE Something highly suspicious I just noticed - you can see it in the HAR file - on the 302 redirect from Auth0 to our server, it sets two cookies auth0 and auth0_compat that expire exactly one minute from the time of the response. These two cookies, presumably because they expired, are then not sent to the /continue request. Is this our smoking gun?? If so, what can be done about it?

We are not using any social connections (unlike those in a similar conversation ) - just an ordinary database connection.

Any insight would be appreciated.

It looks like we had our tenant Idle Session Timeout set to 1 minute!! Easy fix.

Glad you have it working now!