Starting a social login and then going back redirects to a Mozilla Something Went Wrong page

[tristanweir]

Steps to reproduce

1. Open new Private Tab
2. Navigate to http://testrp.security.allizom.org/
3. Start a Google login
4. Use Browser back button
5. Start a GitHub login
6. Use Browser back button
7. Start a Google login
8. Complete the Google login (incl. MFA options)

Instead of taking you to the success page, it takes you to a generic Mozilla Something Went Wrong page.

I think it might be the callback URL gets messed up by navigating through 2 social logins.

Confirmed in FF 49 and Chrome

[gdestuynder]

the state is regenerated when navigating back and ends up not matching when returning to the RP, which detects this as a CSRF failure and logs you out (it no longer takes you to "something went wrong")

[gene1wood]

@gdestuynder When I tested this just now I did get the auth0 something went wrong page. I ended up on this URL

https://auth-dev.mozilla.auth0.com/login/callback?state=63hrbhA1xlQbDfseC7s97tc9&code=4/h68vg5wex4TteHM3zZmam1jKAveFcg2y7izI85rzAr0#

saying

There could be a misconfiguration in the system or a service outage.

How would one fix this issue?

[tristanweir]

The error message now reads:

You probably pressed the back button or there is some issue with cookies, since we couldn't find your session. Try logging in again from the application and if the problem persist contact the administrator.

I feel like the occurrence of this user action is small enough, that this error message should be sufficient.

Kang, I assume you wrote the error message. Can you update the text to the following (corrects typo and makes instructions more clear)?

You probably pressed the Back button or there was some issue with cookies, since we couldn't find your session. Try signing in again from the site. If the problem persists, please contact the site administrator.