Why you might see a 404 when signing in to your Logto-integrated app
Have you ever encountered a "404 Not Found" error when you tried to sign in to a Logto-integrated app? This blog post explains why this happens and what you can do to avoid it.
Developer
Background
Have you ever tried signing in to an app that uses Logto for authentication and encountered a "404 not found" error? Have any of your end-users reported the same issue?
This can happen when you directly access the sign-in page (e.g., https://your-app.com/sign-in) without going through the intended sign-in flow from your application.
Here's why:
The importance of the OIDC flow
Logto relies on the OpenID Connect (OIDC) protocol for secure authentication. When you sign in through the normal application flow (e.g., typically by clicking a sign-in button from your application), the application initiates a communication with Logto’s OIDC server. This communication, called the “authorization request,” is important because it does various validations against the caller first, and then establishes a secure session between your browser and the server (managed by cookies).
The problem arises when users directly navigate to the “/sign-in” page, as this bypasses the application's internal logic that triggers the OIDC authorization request. Consequently, the server doesn't recognize your browser as having a valid session, which then leads to the 404 error.
The solution
There are two main ways to avoid this issue:
Always use the app's sign-in button
Instead of directly accessing the "/sign-in" page, follow the intended login flow provided by the application. When you click the "Sign in" button within the app, it initiates the proper OIDC authorization request, and establishing the necessary session.
Redirect users automatically
If you only have one application in your Logto instance, you may try to implement logic to automatically intercept user attempts to "/sign-in" page without a valid session, and redirect them back to your main page where a sign-in button is displayed. This cannot be done by Logto due to its "Omni-sign-in" nature, as multiple applications can share the same authentication system, and therefore when such page request comes in, Logto doesn't know which app it should redirect to.
Additional thoughts on experience improvement
We are trying to improve the user experience, by at least adding helpful messages on the "/unknown-session" page, explaining the reason for the 404 and let the users know what to do instead of being confused and clueless.
We may also consider implementing other safely measures to mitigate the problem, such as automatically redirecting to "Sign-out redirect URI" (usually the main page of the application) when there's only one application detected for the current Logto instance, or adding additional configuration to show customized message on such case.
Conclusion
The 404 not found (invalid session) error on the "/sign-in" page is usually caused by directly accessing the sign-in page URL, which bypasses the normal application sign-in flow that triggers the authorization request, and hence no valid session (managed by cookies) is established.
By understanding this flow and its importance, you can avoid the error and enjoy a seamless sign-in experience with your Logto-integrated app.
Please feel free to contact us if you would like to share your ideas.