Social Login only works on desktop, but not on mobile devices (CSRF detected)

SSO
, , , ,
1

Hello,
my Discourse forum has a problem with social logins (Google, Discord, LinkedIn):

  • On desktop, all social logins work perfectly.

  • On all mobile devices (iOS/Android, Safari/Chrome/Firefox), they fail.

The mobile process:

  1. Social login opens normally.

  2. After the redirect back to my site, I only land on the homepage, but I am not logged in.

In the logs, every time it says:

(google_oauth2) Authentication failure! csrf_detected

or

(discord) Authentication failure! invalid_credentials: invalid_request

What I have already checked:

  • OAuth setup correct (desktop works)

  • Cookies/cache deleted on devices

  • No in-app browsers, real browsers tested

  • No matter which mobile browser → always CSRF detected

Question:
What in Discourse can cause social logins to only lose the session/cookies on mobile devices and fail with csrf_detected?

Thanks for any help! :folded_hands:

2

Is this a standard install? If not, do you have force_https enabled?

3

Hello, yes it is a standard Discourse installation (installed on a Hetzner server).

4

I found the solution to the issue where social logins (Google, Discord, etc.) fail with csrf_detected on mobile devices, even though they work on PC.

The cause was in my theme:

A custom JavaScript script in the \u003chead\u003e section of the theme was constantly reloading the page (window.location.replace) on mobile devices.

This forced redirect destroyed the temporary CSRF token necessary for session validation after the Google/Discord callback.

Solution:

I removed the entire script for forcing the mobile view from the theme.

If you have similar issues and are using a custom theme, check if there are any scripts running that trigger redirects. That was the culprit in my case!