During this service interruption, new logins using SSO via PKCE did not succeed.

The service interruption was caused by deployment of an internal Userfront infrastructure change, which caused the origin headers that are normally set during the PKCE flow to be overwritten with origin headers from Userfront’s internal infrastructure. Because the origin header for a given request was overwritten and therefor not valid, this caused the PKCE exchange to fail during security checks by other Userfront systems and within the browser.

We estimate that this event effected 10-20 end users over the course of 6 hours. It appears that many of those end users did ultimately log in with a different method such as email link or password. All other login methods, including SSO without PKCE, were not affected during the service interruption.