Skip to main content

SSO & Authentication Issues

This guide covers common authentication problems across The One Stack, including Hub SSO, Portal SSO, and session management.

Login Loops

Symptom: You click "Sign In," get redirected, and end up back at the login page without being authenticated.

Step-by-Step Debugging

  1. Clear all cookies for *.theonestack.com and *.theonehub.com domains.
  2. Open an incognito/private window and try signing in again.
  3. Check that third-party cookies are allowed — Some browsers block cross-domain cookies by default, which can prevent SSO redirects from completing.
  4. Disable browser extensions — Ad blockers and privacy extensions can interfere with OAuth redirect flows.
  5. Verify your account exists — If you were recently invited, check your email for the invitation link and complete the signup process first.

Common Causes

  • Stale session cookies — Clearing cookies resolves this in most cases.
  • Browser extension interference — uBlock Origin, Privacy Badger, and similar extensions may block SSO redirect domains.
  • Clock skew — If your device clock is significantly off, JWT tokens will fail validation. Sync your system clock.

Session Expiration

Symptom: You are logged in and working, then suddenly get redirected to the login page.

Debugging Steps

  1. Sessions expire after 8 hours of inactivity or 24 hours regardless of activity.
  2. If you are experiencing frequent unexpected logouts (within minutes), check:
    • Is your network connection stable? Intermittent connectivity can cause token refresh failures.
    • Are you accessing the platform from multiple devices? Signing in on a new device does not invalidate other sessions, but verify you are not hitting a device limit.
  3. Check your subscription status — An expired subscription can cause authentication to fail on product-specific pages.

Symptom: Features randomly stop working, or you see "Unauthorized" errors mid-session.

Debugging Steps

  1. Ensure your browser allows cookies from these domains:
    • *.theonestack.com
    • *.theonehub.com
    • Your product-specific domains (e.g., theonepsa.com, theonecrm.com)
  2. If using Safari, check Settings > Privacy > Prevent cross-site tracking — this can block SSO cookies.
  3. If using Firefox with Enhanced Tracking Protection set to "Strict," add The One Stack domains to your exceptions list.

Multi-Tab Conflicts

Symptom: Working in multiple tabs causes one or more tabs to lose authentication.

Explanation

When you have multiple The One Stack products open in different tabs, token refresh operations can occasionally collide. This is a known edge case.

Workaround

  1. If a tab loses authentication, refresh the page — the tab will pick up the current valid session.
  2. Avoid signing out in one tab while working in another — sign-out invalidates the session across all tabs.

Portal SSO

Symptom: Your end-client cannot sign into the Portal.

Debugging Steps

  1. Verify the client has a Portal account — In Hub, go to Clients > [Client Name] > Portal Access and confirm access is enabled.
  2. Check the Portal domain — If you are using a custom domain, verify the DNS CNAME record points to the correct Portal endpoint.
  3. Resend the invitation — The invitation link expires after 7 days. Go to Portal > Users and resend.
  4. Check client email — The invitation may have landed in spam. The sender is [email protected].
  5. Verify Portal subscription — Portal access requires an active Portal subscription in Hub > Billing.

Still Stuck?

If none of the above resolves your issue:

  1. Open your browser's Developer Tools (F12) and go to the Network tab.
  2. Reproduce the issue.
  3. Look for any requests returning 401 or 403 status codes.
  4. Take a screenshot or export the HAR file.
  5. Open a support ticket with the HAR file or screenshots attached.