Similar to a few others on here, we are experiencing an issue where our redirect rule (for custom MFA) passes back to the /continue
endpoint only to encounter a 401 Unauthorized response which does not redirect to our OIDC callback URL, but simply stops dead, showing the text “Unauthorized” in the browser.
It doesn’t happen reliably, but seems more likely if we wait too long on our MFA pages, before redirecting back to Auth0.
HAR file (284.5 KB) - heavily obfuscated/redacted
What I have learned already:
- Seems to be timeout-related; if we wait on our custom MFA verify page for over 60 seconds (roughly), we are far more likely to trigger the Unauthorized error on
/continue
. - Nothing shows up in the Auth0 console log about this.
- None of the continuation rule’s
console.log()
statements are appearing in my Webtask monitoring session, including aconsole.log
statement right at the beginning of the rule. I had added these statements to check whether the rule itself was triggering the Unauthorized response (it heavily validates the incoming information and returnsUnauthorizedError
when necessary.) - The
/continue
request is conspicuously not redirecting back to our OIDC login callback URL (at least if it did, we could try to handle the problem there…) - UPDATE Something highly suspicious I just noticed - you can see it in the HAR file - on the 302 redirect from Auth0 to our server, it sets two cookies
auth0
andauth0_compat
that expire exactly one minute from the time of the response. These two cookies, presumably because they expired, are then not sent to the/continue
request. Is this our smoking gun?? If so, what can be done about it?
We are not using any social connections (unlike those in a similar conversation ) - just an ordinary database connection.
Any insight would be appreciated.