1. Start by being logged out of both the forum and oauth identity provider. 
2. Visit forum directly, click "Login with ....com". You will be redirected to a identity provider login 
3. Login to the identity provider, get redirected back to https://forum.custominvisionforum.com/login , then Invision immediately 301 redirects the user to a broken login URL that 404s (screenshot attached forum-error-1.PNG), it 301 redirects to this example URL: https://forum.custominvisionforum.com/login/7?_processLogin=3&csrfKey=...&ref=&code=...   (note the 7 at the end of login URL path.. if the "7" is removed from the URL and reload page, it immediately logs the user in). 

4. The user is then prompted with a "Existing user? Please sign in" button .. When they click this button, after above redirect chain, it causes CloudFlare to block the login request.  Screenshot attached, forum-error-2.png.  Example Request URL where we see this error: https://forum.custominvisionforum.com/oauth/callback/?code=...&state=...  The cloudflare blocking issue has to be something specific to the redirects in step (3) above -- if at this point the user reloads the homepage and clicks login, it logins them in no issue.

 

Cloudflare Error:

403 ERROR
The request could not be satisfied.
Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.

 

Looking at your login page here, I am noticing that there have been some customizations done to it. I would recommend undoing those and then testing the solution here as I believe those may be influencing your issue.

We actually utilize the OATUH 2.0 process here and many other sites so I'd like to remove any customizations before we continue investigating.

@Jim M I've removed the two theme overrides we had in place, and I'm still able to reproduce the issue. 

What URL have you setup as your redirect URI in your OAUTH identity provider?

{base-url}/oauth/callback/

Thank you! I've transferred this to a ticket as we will need to investigate this further as I believe this to be a one-off issue rather than widespread. Please check your email for next steps.

Please note I have also obfuscated your base URL in the URLs you've shared.

Thank you!  For the time being I am going to re-add our theme customizations, as the default login forms might confuse our users.. 

 

We can revert them again temporarily while your team troubleshoots, let us know. 

Yes, thats no problem, as long as you are aware it may be removed while debugging

That's CloudFront not CloudFlare - are you using WAF in front of CF? It can throw a 403 if you trip one of the firewall rules.