BadRequestError: checks.state argument is missing when logging in [RP]

Repost because nobody responded

Hey! Recently, I’ve been getting this error when I or my users attempt to login. This happens in incognito and normal on Chrome and Firefox.

I have checked all of my credentials and they are all valid. My base URL points to the live domain.

I am using the NodeJS express auth0 module (express-openid-connect). I am not using NextJS or another framework, I use EJS

Can anyone help me please?

Hi @deveroonie,

Have you seen this thread?

Also, if you reply to your own topic (in your other thread), it get’s kicked out of the “Unanswered” queue.

i’ll test adding this:

    //@ts-ignore
    cookie: {
      domain: '.example.com'
    }
  },

i’ll get back to you soon when it is tested - no, i had not seen that specific thread.
(e: fix MD)

1 Like

i added that and the trust-proxy stuff and it still occours.

this IS occouring in prod on https://recipe-realm.com

it is reverse proxied via CF and NGINX. i use the Auth0 FREE plan and have configuration setup in nginx to show real ip’s in the logs.

this occours on firefox every login (same on chrome mobile and chrome desktop). the latest version is being used on all devices (W10/Android13)

Node version: latest, express-openid-connect: ^2.16.0, express: ^4.18.2
host: pios latest (based on debian 11)
pm2 is setup

(i am just giving as much info as i can)
@dan.woda

1 Like

I appreciate all the info! Thank you :smile:

Do you have a snippet of your express-openid-connect setup? (exclude sensitive info)

i do indeed! all info is stored in config files or ENV so don’t worry about that.
forgot to mention - CF plan is free.

const aconf = {
    authRequired: config.authZero.authRequired,
    auth0Logout: config.authZero.auth0Logout,
session: {
    //@ts-ignore
    cookie: {
      domain: '.recipe-realm.com'
    }
  },
    secret: process.env.secret,
    baseURL: config.authZero.baseURL,
    clientID: process.env.clientId,
    issuerBaseURL: config.authZero.issuerBaseURL
  };
app.use(auth(aconf));

That looks okay so far.

Are you seeing any errors in your browser console? I would like to confirm the presence of the auth_verification cookie.

You can also DM me a HAR file and I can take a look at the whole flow.

I am seeing CSP errors (standard), and SameSite warns

Cookie “_auth_verification” does not have a proper “SameSite” attribute value.

stuff like that ^^

Check your PMs - I have sent a HAR file

1 Like

@dan.woda i have replied to your PM. i need to get this fixed ASAP as my users are starting to complain.

1 Like

Hi @deveroonie,

I sent a response in the DM

Hey! I have replied to the DM :slight_smile:

1 Like

Once again, I have replied @dan.woda!

1 Like

Thanks, no need to let me know every time.

I did message you hours ago, and I saw you where online recently so that is why I mentioned you :slight_smile:

@dan.woda i replied a few days ago, when will you be able to read it?