"@auth0/auth0-spa-js": "^1.12.1",

snehal.libra · October 19, 2020, 1:44pm

hi All,

i am trying to integrate “@auth0/auth0-spa-js”: “^1.12.1” for “Authorization Code Grant Flow with PKCE”

when i do “getTokenSilently()” call, i see that first call goes to /authorize and return 200. however after that multiple “/oauth/token” calls goes but all end up in error.

i tried looking around but could not fine any issue.

Can you please suggest what could be wrong.

dmitry · October 20, 2020, 12:55am

what is your oauth/token sending as part of the body? Are you getting 401 or something else as the response code?

snehal.libra · October 20, 2020, 4:53am

this is what i see

response is empty, without any code.

snehal.libra · October 20, 2020, 7:05am

Update:

i see this issue happening only for google chrome. and in Firefox, i am able to get the token correctly.

in below screen, i see that the __cfuid and *_compat cookies are rejected for sameSite issue. i believe that is the difference in Chrome and Firefox

@dan.woda can you please help me with this?

dmitry · October 20, 2020, 3:25pm

I’m having the same issue. But I verified against Chrome, Safari, and Firefox on Mac OS where they all behave the same - 401 response. You may also see an error in your Console that says “Invalid State”.

There seems to be a number of different ways that Invalid State can be caused.

Bug with SPA JS that was fixed a year ago: Always "Invalid state" in v1.2 · Issue #186 · auth0/auth0-spa-js · GitHub
Other ways Invalid State can be caused: Invalid state on reload Auth0 callback url, using auth0-spa-js and Angular 8 - #9 by supun

The underlying theme is that there is a misconfiguration somewhere that is causing this behavior. But I can’t isolate it in my environment - yet.

dan.woda · October 20, 2020, 4:16pm

@snehal.libra

Those compatibility cookies will give you a warning, but shouldn’t be causing the problem. Can you please DM me a HAR file with a capture of the transaction.

dmitry · October 20, 2020, 9:39pm

@snehal.libra I just had support help me address my issue. The SPA was configured with POST for “Token Endpoint Authentication Method” (I didn’t set that, it was defaulted to POST when app was created). However, that seems to require Secret being passed. I had to change to Web Application, set the method to NONE, then changed it back to SPA and was able to get past the same 401 error. Hopefully that helps you as well.

dan.woda · October 20, 2020, 9:42pm

Thanks for the follow up @dmitry.

It looks like the same issue as this thread. If it is, it’s a bug.

system · November 4, 2020, 9:42pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Intermittent Invalid State Help auth0-spa-js	2	2831	September 14, 2021
Bug: 401/Unauthorized when obtaining token in Authorization Code grant Help configuration , application	2	488	April 5, 2024
Invalid token sometimes? Help	4	2223	February 4, 2021
401/Unauthorized when obtaining token in Authorization Code grant Help	19	53129	November 8, 2022
Auth0_flutter missing transaction: invalid_state error Help configuration , application	2	742	February 15, 2024

"@auth0/auth0-spa-js": "^1.12.1",

Related topics