FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to Handle Bookmarking FusionAuth Login Pages with Custom Domains and PKCE

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    cloud
    1
    2
    2
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We are having an issue with customers trying to favorite or bookmark our login page. We have a URL for the login page that redirects to the FusionAuth login url. But the URL for the login is only shown for a short time before they are almost immediately redirected to the FusionAuth login URL. The problem this is creating is that customers often end up favoriting the 2nd login page which doesn't work when it's clicked on again later. Can we customize the URL for our customer login page or can we make the 2nd link favoritable? If we do use a custom URL, does this support us connecting with PKCE?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Currently your deployments do support custom domains and yes this would be compatible with PKCE. You can have something like auth.mycompany.com provisioned and a user can bookmark this type of URL. In fact, I believe that your company already has a few of these types of URLs configured. So your customers would have to bookmark the full login path (something like http://auth.mycompany.com...authorize?client_id....redirect_uir...response_mode) and then they can login to the OAuth2 page that FusionAuth is hosting for login.

        The real issue that you have here is related to PKCE.

        1. Your app landing page is generating a PKCE challenge and PKCE verifier.

        2. Your integration is then using these values to call the authorize endpoint uniquely each time

        3. If a user bookmarks the values/URLs from step two above, they will have issues logging in (due to a PKCE failure)

        All of this is in alignment with the OAuth Specification (the PKCE values should be unique each time that the authorize endpoint is called). The next question then becomes prevention of a user bookmarking the wrong link. To my mind, you could add some information to a customer portal or land page letting the customer know the correct page to bookmark. If the login fails, you may be able to redirect the user to the correct page (your page sees the failure and then determines the login landing page to send the user to) to login as well to recover the customer experience (in the case where the user have bookmarked the wrong link).

        The alternative is to not to use PKCE, which introduces security considerations, especially if you are building on mobile.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post