So we’ve recently gone live and I have a handful of users that suffer this utterly bizarre issue. One is on Win 7 and Chrome but has a bizarre corporate network (works when they’re not connected through it) and I suspect the others are on MacOS + Safari because that’s the only way I’ve been able to reliably reproduce the issue.
Most of our customers appear to be fine and I cannot reproduce this issue with other OS and browser tech.
The problem occurs within an old fashioned ASP.NET Webform app that checks its session to see if a user has been authed already and if not makes a request to auth0 to auth that redirects to a “LoginCallback.ashx”.
The user has very likely already logged in elsewhere (we’re all happy-path here) and the code is mostly similar to the auth0 example here: https://github.com/auth0-samples/auth0-aspnet-saml-idp-initiated/blob/master/LoginCallback.ashx.cs
The problem we experience (for a handful of users) results in a timeout exception on the line:
var token = await client.GetTokenAsync(new AuthorizationCodeTokenRequest
{
ClientId = ConfigurationManager.AppSettings["Auth:ClientId"],
ClientSecret = ConfigurationManager.AppSettings["Auth:ClientSecret"],
Code = context.Request.QueryString["code"],
RedirectUri = context.Request.Url.ToString()
});
where client is typeof AuthenticationApiClient.
I haven’t yet got a HTTP trace (my next step) but from the logs in auth0 and the user reports it seems that the auth0 api says to the client:
ye, this user is valid
but the client immediately re-requests.
auth this user please!
The user is bounced back and forth between the two end points until they time out with exactly the same responses. The user auths fine but the client somehow disagrees and re-requests.
The chatter is probably some hundreds of requests and spams into pages in the auth0 logs.
While its possible that our code is somehow contributing to this apparent loop my basic read of the code (due to exceptions) suggests that is only possible if the session state doesn’t work.
Like I said I’m going to try to trace the HTTP on some weird mac box we have kicking around that can actually reproduce the problem to see if I can fathom whats going on but in the meantime I just wonder if anyone else has experienced this problem before.
EDIT: Actually, wait, its probably totally cookies being disabled. That would make a lot of sense…