BadRequestError: checks.state argument is missing

Hey All,

I find that every so often(not sure of the exact cadence for this error) I get the following error after the user is successfully authenticated(i.e. the url this is happening on is https://website.com/callback):

BadRequestError: checks.state argument is missing:
at /var/www/app/html/node_modules/express-openid-connect/middleware/auth.js:94:29 
at processTicksAndRejections (internal/process/task_queues.js:97:5)

I am using express-openid-connect v1.0.1 and the new Universal Login page. Interestingly I never run into this when testing locally, only on the server if that context helps.

Update 1: Another piece of the puzzle. When I get the above error and then go back to https://website.com/ and click sign in again, authentication and redirect works flawlessly without me even seeing the universal login screen.

From this point, I can logout and login to my heart’s content without seeing the error again.

Update 2: Thought it might be something to do with cookies and the fact that the Express server runs behind Nginx and so I added:

app.use("trust proxy", true);

Still the same problem :frowning:

Update 3: I can now see that the first time I authenticate and get the error as described there is no cookie set on the domain. Once I go back to the landing page and attempt authentication again, the appSession cookie is set and persists so, from there on out(as mentioned before) sign in and sign out works as expected.

Any idea why setting the cookie the first time would fail? But then succeed on the second attempt? Is this a possible bug in the connect node module?

Has anyone else run into this problem? Any ideas on a resolution? Thank you

1 Like

I very much looks to me like this is the root of the problem here:

If you’re a customer of Auth0, then be sure we’re already executing steps necessary to facilitate this change. Some changes will happen automatically, on Auth0’s side, without requiring any action on yours. Depending on the particular SDK and underlying grant your web app is using to implement Sign-In and/or Authorization, you might need to update to a newer version of the SDK capable of handling the new browser behavior.

Check and update your SDKs periodically, and be on the lookout for any advisories in their README and CHANGELOG as well as your Auth0 Dashboard Notifications for any actions required.

Will have to see whether express-openid-connect handles this correctly. Still odd why it works on the second and all subsequent attempts

https://support.auth0.com/notifications/5dd68dc99f3b31000a6ce1fc

Suggests that all is good, but seems I am still being affected.


I guess the immediate possible solution is to use server side sessions with express-session and reddis. I am going to look into this and will report whether this solves the problem.

So, it seems like the core of this problem was caused by an HTTP call somewhere in between the HTTPS calls during the roundtrip. So, as soon as the HTTP call is made, the cookie is dropped because cookie.secure is set to true.

Setting cookie.secure to false, solved the problem. Now to figure out where the HTTP call happens. The origin site runs via HTTPS and everything is forced to be via HTTPS so, not sure if it could still happen(I guess it can), or whether this is on theAuth0 side somewhere.

Also seeing this issue. In my network requests I see http://auth0.com is trying to set a cookie? Wonder if this issue is on the auth0 side?

1 Like

It will 100% cause the issue. I noticed this as well in Safari as it throws up a notice saying the page is not secure. If I remember correctly the title of that page is something like “Submit this form”.

So yes, if cookie = secure is set and anywhere along the flow there is an HTTP call, the cookie will be dropped.

The error is accompanied by either an HTTP 400 Bad Request error or an but during this period API responses might reflect the inconsistent state of the table.

Hey @schalk.neethling I believe this is fixed in https://github.com/auth0/express-openid-connect/releases/tag/v1.0.2 from https://github.com/auth0/express-openid-connect/pull/94

Can you try that version and if that doesn’t resolve your issue can you provide some more details about your implementation?

2 Likes

Hi wanted to bump this as I’m getting the same issue still. I’ve updated my version of express-openid-connect.
Users on iPhone seem to not experience this issue. Though Android and windows chrome for sure are.

Hey David, thank you for the heads up and apologies for taking so long to reply. I have moved back to the previous passport.js solution that Auth0 used to suggest for the project in question.

I am curious about using the new shiny module though so, I am thinking I will build a skeleton auth project to try it out. I will let you know if I still run into the same problem. Also note, when running locally I do not see the error as I do not set cookie to secure=true

This only happens in production.