User unable to complete login if the /authorize endpoint was called twice

Problem statement

We noticed that if calling the /authorize endpoint twice within a few milliseconds apart, this will produce an error in both Classic Login and New Signup experience. The end user might click that link from a landing page or email.

Symptoms

CLASSIC EXPERIENCE LOGIN:

UI ERROR: “WE’RE SORRY, SOMETHING WENT WRONG WHEN ATTEMPTING TO LOG IN.”

The response to /usernamepassword/login is:

{ “statusCode”: 403, “description”: “Invalid state”, “name”: “AnomalyDetected”, “code”: “access_denied” }

NEW EXPERIENCE SIGNUP:

UI ERROR: “some body keys are invalid”

Steps to reproduce

Prepare the /authorize link.

To reproduce the classic experience issue, double-click the link while holding the command key as quickly as possible.

To reproduce the new experience issue, the /authorize link should have the screen_hint=signup query param. Also, double-click the link while holding the command key.

Note: this may not work the first time, as you need to be very quick to click that link twice.

Cause

It is related to the way we handle states and sessions. In this case, as there is no previous session/cookie, when both requests arrive at the server around the same time, there is a race condition where two sessions are created but one overrides the other.

In the New experience that is solved by TPIL which is not supported in the Classic login.

Solution

The issue can be fixed in the New Universal Experience by configuring the Default Login Route. In the Classic experience, there’s no workaround as of yet.