We’re using hosted pages and the implicit grand. This means that the following flow works as expected:
- User enters our site
- We fire
WebAuth.login()
- User gets redirected to Auth0
- User logs in at Auth0
- User gets redirected back to our site (on:
domain.com/login#access_token=token
) - We call
WebAuth.parseHash()
to ensure the user is properly logged in
When a user returns to Auth0 manually from this point (using the back-button for example), it gets presented with a UI that shows the user is already logged in. When the user confirms this by clicking on the large button it gets redirected back to us.
The problem here is that it doesn’t get redirected to domain.com/login#access_token=token
, but to domain.com/login?code=code
. Reading this comment I’d say this has something to do with the wrong grant being used.
The end result is that parseHash
fails, redirecting the user back to Auth0 again. The same UI is shown, but when a user confirms it again it does redirect the user to the correct callback url.
Why would this be different for this particular flow? Did we miss configuration anywhere, or is this a bug?