Hi,
We had a recent issue where users got into an infinite redirect loop when the “Remember this device for 30 days” option was selected for MFA, making them unable to log in.
Reproduction flow: Login attempt → MFA request → User selects Remember device option → Successful Login.
Logout, then on the next login: Login attempt → Infinite redirect loop, failure to log in
We enabled MFA in a Post Login action. We solved the issue by setting the allowRememberBrowser option to false.
Is it a new bug in auth0? This feature used to work without problems.
Hi @gy.ny-k
Welcome to the Auth0 Community!
I understand that you are seeing a login loop when the " Remember this device " option is enabled for MFA.
This is a known behaviour that occurs due to how the Post-Login Actions interact with application SDKs (like auth0-react or auth0-angular ) during session renewals and subsequent logins, especially if the SDK attempts to renew tokens silently. After the user logs, completes MFA and checks the " Remember this device " option, on subsequent logins the SDK attempts to renew tokens silently (e.g., via getAccessTokenSilently or a refresh token) . Your Post-Login Action runs unconditionally and calls api.multifactor.enable() again and the request is flagged as requiring an MFA challenge.
You should be able to keep allowing your users to checks the " Remember this device " option while fixing the login loop by modifying your Post-Login Action to check whether MFA was already completed or if the request is a silent/refresh-token flow. The following documentation on Silent authentication with Multi-factor Authentication is a great resource in this regard and offer the following Post-Login Action template :
exports.onExecutePostLogin = async (event, api) => {
const authMethods = event.authentication?.methods || []
const completedMfa = !!authMethods.find((method) => method.name === 'mfa')
if (!completedMfa) {
api.multifactor.enable('any', { allowRememberBrowser: true })
}
};
Allow me to also share the following topics and documentation on the matter, which should prove useful depending on your configurations:
Hope this helped provide some additional details regarding the behaviour that you are seeing and thank you for reporting this to our end! Please reach out to us for any other issues or requests, we will gladly look into it.
Best regards,
Gerald
Hi @gerald.czifra ,
Thank you for the reply!
We have the same logic in our post login action as you recommended (the check for MFA completion). It worked until the evening of last Tuesday.