OAuth2 authorize workflow is broken if the user refresh the page

I have a native app (Android + iOS) which uses Okta OAuth2 to authorize the user. During the authorization workflow, if the user refresh the page, Okta will lost all context of the authorize request, i.e redirect_uri. This results in a very bad user experience as after authorized the user will be redirected to {okta_org}/app/UserHome. There is no way for the app to retrieve the access_token in this case.

I’m guessing your doing a browser based login? This is expected: if the user refreshes the Okta login page in the middle of an OAuth/OIDC flow, they will lose the application context and be redirected to their Okta User dashboard instead of to the application with an authorization code/tokens.

If you want to ensure users don’t lose their place like this, you will want to use an embedded/native login experience that removes this browser redirect from the login flow. See this sample app for reference.

@andreaskouras thanks for the suggestion. But why would this behavior is expected? I just gave Auth0 a quick try and can confirm that their OAuth2 workflow works fine without any issue.

On another hand, if we have to use the native SDK to develop the login experience, it would be quite extreme just for fixing this bad user experience.

@andreaskouras do you mind to follow up on this?