Auth0 PHP SDK: Invalid state

pitsnthings · June 15, 2022, 10:53pm

I know this problem may have been discussed a lot in these forums but I can’t seem to find an answer that fixes this problem.
I’m using the auth0 PHP SDK and am using a lot of the code from the quickstart guide for PHP.
The problem is, when I attempt to login by pressing the sign in button on my page, I get taken to a blank page with an error in the console of my PHP develpment server. The error is as follows:

127.0.0.1:59994 [500]: GET /callback.php?code=jDjrZOQz-Ts7lKmG3CjYXTrGZA-XP0zPkFOl6-od4eWpW&state=fdf4f0369232d4e5a2a208e2058292f0 - Uncaught Auth0\SDK\Exception\StateException: Invalid state in /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Exception/StateException.php:24
Stack trace:
#0 /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Auth0.php(322): Auth0\SDK\Exception\StateException::invalidState()
#1 /home/npatrick/Code/artichoke3d/callback.php(15): Auth0\SDK\Auth0->exchange()
#2 {main}
  thrown in /home/npatrick/Code/artichoke3d/vendor/auth0/auth0-php/src/Exception/StateException.php on line 24

The result I was hoping for was to see my index.php page with a name and email showing in the place of the “sign in” button.
here is my index.php:

    <?php
    $_SESSION["redirect_url"] = "http://127.0.0.1:3000";
    require 'vendor/autoload.php';
    (Dotenv\Dotenv::createImmutable(__DIR__))->load();
    $auth0 = new \Auth0\SDK\Auth0([
      'domain' => $_ENV['AUTH0_DOMAIN'],
      'clientId' => $_ENV['AUTH0_CLIENT_ID'],
      'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
      'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
    ]);
    if ($session === null) {
      $_SESSION['auth0__webauth_state'] = 123456;
      echo '<a class="loginButton" href="http://127.0.0.1:3000/login.php">Sign in</a>';
    } else {
      echo '<button onclick="myFunction()" class="dropbtn">' . $session->user["email"] . '</button><img class="profileImg" src="', $session->user["picture"] . '" height="32px" width="32px">';
    }

    ?>

login.php:

<?php
require 'vendor/autoload.php';

(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
$auth0->clear();
header("Location: " . $auth0->login("http://127.0.0.1:3000/callback.php"));
exit;
?>

callback.php

<?php
declare(strict_types=1);
require 'vendor/autoload.php';
(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
$auth0->exchange(ROUTE_URL_CALLBACK);
header("Location: " . $_SESSION["redirect_url"]);
exit;
?>

logout.php:

<?php
require 'vendor/autoload.php';
(Dotenv\Dotenv::createImmutable(__DIR__))->load();
define('ROUTE_URL_INDEX', "http://127.0.0.1:3000");
define('ROUTE_URL_LOGIN', ROUTE_URL_INDEX . '/login_redirect.php');
define('ROUTE_URL_CALLBACK', ROUTE_URL_INDEX . '/callback.php');
define('ROUTE_URL_LOGOUT', ROUTE_URL_INDEX . '/logout.php');
$auth0 = new \Auth0\SDK\Auth0([
  'domain' => $_ENV['AUTH0_DOMAIN'],
  'clientId' => $_ENV['AUTH0_CLIENT_ID'],
  'clientSecret' => $_ENV['AUTH0_CLIENT_SECRET'],
  'cookieSecret' => $_ENV['AUTH0_COOKIE_SECRET']
]);
header("Location: " . $auth0->logout($_SESSION["redirect_url"]));
exit;
?>

If you notice massy or inconsistent parts of my code, that is because I’m using bits and pieces copied from the quickstart guide and I plan to clean it up after I get a basic login system working. Also, I’m pretty new to this Auth0 stuff so sorry if this is a really dumb question.

pitsnthings · June 16, 2022, 9:58am

I posted a question, not an answer

pitsnthings · June 20, 2022, 6:46am

Does anybody have any ideas?

aplein · July 1, 2022, 6:34pm

Running into a similar issue. I’ll let you know if I find a solution.

yodude · October 20, 2022, 10:41am

Also running into this issue of intermittent invalid state exception. It makes for very bad UX.

Do the Auth0 staff have any ideas about this? Any workarounds?

yodude · March 11, 2023, 12:08am

For such a big enterprise company as Auth0, these forums reflect a lack of professionalism and technical knowledge on the part of the staff. They just give some BS answers that don’t address the problem and leave it up to users to solve their own problems and when they do, the staff just chimes in with “thank you!” Pathetic

akshayw.softdev · January 30, 2024, 3:25pm

It look like they also don’t know how to handle this issue.

dan.woda · January 30, 2024, 3:49pm

Hey all,

If you’re seeing the invalid state error, it’s generally because the state param in the application does not match the state param returned by Auth0 after the authentication.

This is typically the result of 2 authentication transactions running back to back, which creates two state params and results in a “mismatch” between the param in the response and the one expected in the application.

There’s a good thread about it here: