Auth0-php SDK With Invalid State Error (URL Does not match $_SESSION)

Hi There,

I’m fairly new to Auth0 and OAuth.

I’m working on integrating a Auth0-php in a WordPress Plugin using the authorization code flow.

All seems fine, until I’m redirected back to WordPress and then I receive the following error:

Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /Applications/MAMP/htdocs/test-woocommerce/wp-content/plugins/phauth0/vendor/auth0/auth0-php/src/Auth0.php:559

Also shown in the screenshot is a state mismatch between the $_SESSION and the query paramamter in the URL

I’ve looked at several topics simular to this but none seem to fix my issue, also none mention the state mismatch issue either.

Any help is greatly appriciated!

function __construct() {
        $this->auth0_domain = get_option('auth0_domain');
        $this->auth0_client_id = get_option('client_id');
        $this->auth0_client_secret = get_option('client_secret');
        $this->auth0_redirect_uri = get_option('redirect_uri');
        $this->auth0_audience = get_option('audience');

        $this->client = new Auth0([
            'domain' => $this->auth0_domain,
            'client_id' => $this->auth0_client_id,
            'client_secret' => $this->auth0_client_secret,
            'redirect_uri' => $this->auth0_redirect_uri,
            'scope' => 'read:users',
            'audience' => $this->auth0_audience,
            'persist_user' => true,
            'persist_access_token' => true,
            'persist_refresh_token' => true,
            'persist_id_token' => true,
            // 'state_handler' => false // this should be true

        $this->login_url = $this->client->getLoginUrl( );
        $this->admin = new Admin( $this, $this->login_url );
        // $this->generate_token();



Hi @tom9

The WP plug uses in turn the Auth0 PHP SDK (GitHub - auth0/auth0-PHP: PHP SDK for Auth0 Authentication and Management APIs.). By default, it relies on the session provided by the PHP environment to store a “state” value, which is a random string generated right before sending an authentication request to Auth0, and included in that request. Upon returning the result, Auth0 returns that “state” untouched and the application, as part of the protocol, needs to ensure that it matches the one that was stored.
Here, essentially, the state returned by Auth0 (that you see in the URL) does not match whatever was stored in the session. Is it possible that the session management is somehow not configured? Another option that I’m thinking is that maybe the flow is started on a different protocol than where it ends (e.g. starts in http:// and returns to https://).

1 Like