Redirect users to login page on NONCE mismatch

[KarolisL]

Sometimes users get NONCE mismatch. I've seen some similar log messages:

SignInFailedNonce received=9a7ea569fe96459688ad03d51cd63678 sent=null

My hypothesis is that user mistakenly either:

• manually old visits auth0 login page ( `https://<auth0_domain>.eu.auth0.com/login?state=&protocol=oauth2&audience=&scope=profile%20openid%20email&response_type=code&redirect_uri=https%3A%2F%2F<real_website_domain>%2Foauth2%2Fsignin
• manually old visits /oauth2/signin ( https://<real_website_domain>/oauth2/signin?code=hgfbmMwAu5iBV8ZL&state=<snip>

The error page on <real_website_domain>/oauth2/signin (400 BAD REQUEST) confuses users and refresh doesn't mitigate the error since NONCE is still invalid.

Would it make sense to redirect users back to auth0 just like they were coming to the page for the first time (in order to set proper NONCE)?

[KarolisL]

AUTH_NONCE Cookie is set with Max-Age of 60, so if we go to a <real_website>, get reidirected to login screen, wait for 61 seconds and log in, we get the ApplicationException.

Could we make maxAge configurable? Or would it be a security risk? v1 had this cookie set to -1

[dniel]

@KarolisL yeah, I agree, 60 seconds is a little bit to aggressive. I set it like that because the token exchange code Auth0 send is valid for about 60 seconds probably and to tighten security. But as you point out its possible that the user let the login page waiting for 10 min before actually clicking sign in.

I'll add a configuration to specify maxAge in config, and set a more sensible default, maybe 5 or 10 minutes valid cookie time.

[dniel]

@KarolisL like you say when the user get a nonce error on the screen, I have seen the errors mostly when using back button and/or reload page. I'll try to investigate about setting a default login page in Auth0. I think maybe they have something like that.

[KarolisL]

@dniel in my case, configuring the maxAge would be enough, for now, I could make a PR for this feature.
Regarding the redirect, the UX isn't that great with nonce errors, because user tends to refresh the page if s/he gets an error, but it is futile to refresh because nonce won't match no matter how many times you would refresh. Another solution would be to add "try again" button. Maybe this relates to #63?

[dniel]

@KarolisL Thanx for the PR! Could you update your branch to exclude sonarcloud testing in PR-builds to make the PR build succeed? https://travis-ci.community/t/pull-request-builds-fail-with-sonar/3473

[dniel]

@KarolisL I have created a new project https://github.com/dniel/forwardauth-ui for implementing a react UI application. #63 will probably be solved there.

[KarolisL]

@dniel I have updated the PR to disable sonar on PRs.

[dniel]

@KarolisL thanx for the help, please close this issue when you have verified that the new build is working.

[KarolisL]

I've just checked, the new build worked!