How to handle Auto login failure

Overview

For web apps that have integrated LINE Login, Auto login may fail when private browsing is enabled.

This page explains how to detect Auto login failures and examples of responses that should be displayed to users when login fails.

Detecting Auto login failure

You can detect Auto login failure using the state parameter explained in Authenticating users and making authorization requests.

When Auto login fails, the callback URL of the web app will be redirected with invalid code and state parameters. This will lead to a mismatch between the value of the state parameter given to the callback URL and the value of the state parameter set in the authorization URL. Your web app design should take into account that Auto login fails when there is a mismatch between the values of the state parameters.

Cases of "state" parameter mismatch

With LINE Login, a state parameter mismatch may occur due to attacks by third parties such as Cross site request forgery (CSRF) (opens new window). Accordingly, it's impossible to determine whether the cause of the state parameter mismatch is Auto login failure or an attack by a third party such as CSRF.

Therefore, when there is a state parameter mismatch, consider how to deal with the situation where the user unintentionally failed at Auto login.

When Auto login fails

In environments where Auto login fails, such as where private browsing is enabled, if the user who failed LINE Login is prompted to reattempt with an authorization URL where Auto login is enabled, the user will continue to fail at LINE Login repeatedly. In order to prevent continuous login failures, once Auto login fails, you can use the disable_auto_login parameter to prompt the user to reattempt LINE Login with an authorization URL that has Auto login disabled.

These are the two recommended responses.

• Display an error message to users and prompt them to reattempt login
• Redirect user to an authorization URL without Auto login

Display an error message to users and prompt them to reattempt login

Display a login failure message to users and prompt them to reattempt login.

Since this screen is displayed when automatic login fails, you need to disable Auto login when prompting users to reattempt login. To disable Auto login, set the disable_auto_login parameter to true in the query parameter of the authorization URL and redirect the user as follows.

https://access.line.me/oauth2/v2.1/authorize?disable_auto_login=true&response_type=code&client_id=1234567890&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%3Fkey%3Dvalue&state=12345abcde&scope=profile%20openid&nonce=09876xyz

We recommend including on this screen a link to the I can't automatically log in to a website with LINE (opens new window) page (https://help.line.me/line/ios/sp?lang=en&contentId=20020693) from the LINE Help center.

The following is a sample screen that prompts the user to reattepmt login.

Redirect users to an authorization URL without Auto login

Directly redirect users who have failed Auto login to the authorization URL where Auto login has been disabled. By redirecting users directly, you can display the login screen without making the user aware that Auto login has failed. To disable Auto login, set the disable_auto_login parameter to true in the query parameter of the authorization URL and redirect the user as follows.

https://access.line.me/oauth2/v2.1/authorize?disable_auto_login=true&response_type=code&client_id=1234567890&redirect_uri=https%3A%2F%2Fexample.com%2Fauth%3Fkey%3Dvalue&state=12345abcde&scope=profile%20openid&nonce=09876xyz

If you want to let users know in advance that a redirection will occur, you can display a redirection message.

The following is a sample screen displaying a redirect message.