Hi,
I’m running Discourse ( 2026.2.0-latest (f7cec86997))with OpenID Connect (Azure / Entra ID as IdP).
I’ve noticed an occasional login failure that only seems to occur when users attempt to sign in via the Discourse iOS app.
From the server logs, the flow looks like:
POST /auth/oidc
GET /auth/oidc/callback?...state=...
(oidc) Authentication failure! csrf_detected
The callback does reach Discourse, but the CSRF/state validation fails, so no user account is created.
The surrounding logs suggest this is happening in the app handoff flow:
• application_name=Discourse - iPhone
• auth_redirect=discourse://auth_redirect
From the user’s perspective, nothing obvious appears - they’re simply returned to the login screen and often don’t remember seeing an error.
This doesn’t seem to occur when logging in via Safari or desktop browsers.
My assumption is that this is related to iOS cookie partitioning / context switching between the in-app browser and the app callback.
I just wanted to sanity-check:
• whether this is expected behaviour with OIDC + the iOS app
• and whether there are any recommended mitigations beyond ensuring a strict canonical HTTPS origin
Thanks - happy to provide anonymised log snippets if helpful.