Lock v11 auth.params.state is not a valid Base64 value

In the new v11 of the Auth0 Lock control, the documentation now states:

The state parameter is an arbitrary state value that will be mantained across redirects. It is useful to mitigate XSRF attacks and for any contextual information, such as a return url, that you might need after the authentication process is finished. If a custom state parameter is not provided, Lock will automatically generate one.
The bolded sentence is new for V11, but this causes issues with our code. Currently, if we need a redirect URL once a user is authenticated, we URLEncode the URL, then Base64 encode it (per the docs). Upon the authentication callback, we check for the ā€˜stateā€™ query parameter and if it exists, base64 decode the value to get the URL. In Lock V10, if we did not add a state parameter, there is not a state parameter returned, and all is fine. In V11, if we do not include a redirect URL in the state parameter (essentially no state), Auth0, per the docs above generates one. However the value of the state parameter is NOT a valid Base64 encoded string, which causes an exception when we try to decode the string. (for example: code=u2pieSEWOI9XHSLz&state=syZ6wQa9eG-jrtv5TRQgBrsetJU666NU Note that the state parameter is INVALID Base64)

What do we need to do to correct this, sort of attempting to decode, and if it fails, ignore it (hacky workaround)

Thanks

Hi,

I understand the issue, not sure if we can help much.

Adding a state parameter is the right thing to do security wise, and the spec does not specify that it needs to be base64-encoded.

We suggest here that if you want to keep some values during the login flow you can use the state variable and base64-encode the values, and that still works.

Even if we did base64-encoded our state parameter, you will still need to find a way to know itā€™s ā€œourā€ state parameter, which youā€™d need to ignore, or yours, which youā€™ll need to process, so you will still need to hack something.

I think the best option would be for you to provide a state parameter in all cases.

How to get the actual ā€œstateā€ value in Universal login page.

We customized the login page and need the actual value of state there. However, we getting the state value but itā€™s encoded and unable to decode it. Is there a way to decode it in the universal login page

4 Likes

Hey there!

Sorry for such huge delay in response! Weā€™re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?