"You may have pressed the back button, refreshed during login..." for social/OIDC connections from hosted pwdless lock

We’ve got 2 auth0 tenants:

  • tenant A is for a webapp, username/password primarily, with hosted passwordless page
  • tenant B is for a react native app, passwordless only

We want tenant A users to be able to login to the mobile app. We’ve setup an OIDC connection in tenant B using tenant A details, then added an button that triggers webAuth.authorize({ connection: 'tenantAoidc' ... }).

This works great when using tenant A’s username/password login method, as well as its social connections (google and outlook in this case).

However it doesn’t work at all when using OTP from the hosted passwordless page. We’re getting the generic You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn't find your session. Try logging in again from the application and if the problem persists please contact the administrator. error, with no other messages in the logs.

We’ve tried to update the hosted lock config to

auth: {
    redirectUrl: <tenant B callback URL>,
    responseType: 'code', // instead of token

We’ve also set tenant A’s custom domain in the CORS config of tenant B’s app. We setup a temporary cross-origin verification page but it never gets there.

Here’s the flow as seen in the dev tools > network tab.

- tenantB/authorize?...&connection=tenantAoidc
- tenantA/authorize?...&redirect_uri=tenantB/login/callback&state=state1
- tenantA/u/login/identifier?...&state=state2
<click passwordless login buton>
- hostedTenantA/passwordless.html
<email and code steps>
- tenantA/authorize?...&redirect_uri=tenantB/login/callback&state=state3
- tenantA/authorize/resume?...&state=state4
- tenantB/login/callback?error=server_error&error_description=Unable to configure verification page&state=state5

We’re not sure where to go from there, any ideas welcomed…