On February 21, 2024, Auth0 will shorten the TTL for their login flow transactions. This mostly impacts apps using the Classic Universal Login, which will redirect those end users to an error page if they attempt to complete a stale login transaction. An example would be an unauthenticated person loading the login form, walking away from the form for an hour, then entering their credentials and submitting the form. Instead of logging the user in or even warning the user that their form session expired, the user will get redirected to an Auth0 error page, leaving them to find their own way back to the login form.
This scenario was probably already happening for these apps but is more likely to happen with a shorter TTL for these login transactions. To avoid showing this error page to users, you will have to migrate to the New Universal Login experience or add in some custom Javascript to handle the login form session expiration.
For my use case, it wasn’t really an option to transition to the New Universal Login for a production application with various clients using the same Class login form. Instead, I opted to add custom Javascript to start a session timer via setTimeout that will restart the login flow when possible or show an error banner asking users to try their request again by reloading the page, as this is a better user experience.
For folks with many clients using the same app, you may think you’ll need to grab the client ID from the page and manually map the redirect value to the client-specific initiate_login_url. While that can work, it turns out it can be as simple as calling, window.location.reload() as this will have enough context to restart the login transaction and send users to the right place after a successful login, as confirmed by an Auth0 employee.
If you found this helpful, send me some coffee below or leave a comment ✌️
Comments