I find that every so often(not sure of the exact cadence for this error) I get the following error after the user is successfully authenticated(i.e. the url this is happening on is https://website.com/callback):
BadRequestError: checks.state argument is missing:
at /var/www/app/html/node_modules/express-openid-connect/middleware/auth.js:94:29
at processTicksAndRejections (internal/process/task_queues.js:97:5)
I am using express-openid-connect v1.0.1 and the new Universal Login page. Interestingly I never run into this when testing locally, only on the server if that context helps.
Update 1: Another piece of the puzzle. When I get the above error and then go back to https://website.com/ and click sign in again, authentication and redirect works flawlessly without me even seeing the universal login screen.
From this point, I can logout and login to my heartās content without seeing the error again.
Update 2: Thought it might be something to do with cookies and the fact that the Express server runs behind Nginx and so I added:
app.use("trust proxy", true);
Still the same problem
Update 3: I can now see that the first time I authenticate and get the error as described there is no cookie set on the domain. Once I go back to the landing page and attempt authentication again, the appSession cookie is set and persists so, from there on out(as mentioned before) sign in and sign out works as expected.
Any idea why setting the cookie the first time would fail? But then succeed on the second attempt? Is this a possible bug in the connect node module?
Has anyone else run into this problem? Any ideas on a resolution? Thank you
I very much looks to me like this is the root of the problem here:
If youāre a customer of Auth0, then be sure weāre already executing steps necessary to facilitate this change. Some changes will happen automatically, on Auth0ās side, without requiring any action on yours. Depending on the particular SDK and underlying grant your web app is using to implement Sign-In and/or Authorization, you might need to update to a newer version of the SDK capable of handling the new browser behavior.
Check and update your SDKs periodically, and be on the lookout for any advisories in their README and CHANGELOG as well as your Auth0 Dashboard Notifications for any actions required.
Will have to see whether express-openid-connect handles this correctly. Still odd why it works on the second and all subsequent attempts
Suggests that all is good, but seems I am still being affected.
I guess the immediate possible solution is to use server side sessions with express-session and reddis. I am going to look into this and will report whether this solves the problem.
So, it seems like the core of this problem was caused by an HTTP call somewhere in between the HTTPS calls during the roundtrip. So, as soon as the HTTP call is made, the cookie is dropped because cookie.secure is set to true.
Setting cookie.secure to false, solved the problem. Now to figure out where the HTTP call happens. The origin site runs via HTTPS and everything is forced to be via HTTPS so, not sure if it could still happen(I guess it can), or whether this is on theAuth0 side somewhere.
It will 100% cause the issue. I noticed this as well in Safari as it throws up a notice saying the page is not secure. If I remember correctly the title of that page is something like āSubmit this formā.
So yes, if cookie = secure is set and anywhere along the flow there is an HTTP call, the cookie will be dropped.
The error is accompanied by either an HTTP 400 Bad Request error or an but during this period API responses might reflect the inconsistent state of the table.
Hi wanted to bump this as Iām getting the same issue still. Iāve updated my version of express-openid-connect.
Users on iPhone seem to not experience this issue. Though Android and windows chrome for sure are.
Hey David, thank you for the heads up and apologies for taking so long to reply. I have moved back to the previous passport.js solution that Auth0 used to suggest for the project in question.
I am curious about using the new shiny module though so, I am thinking I will build a skeleton auth project to try it out. I will let you know if I still run into the same problem. Also note, when running locally I do not see the error as I do not set cookie to secure=true
Iām experiencing this issue using the auth0/nextjs package. I have a live url where authentication works perfectly fine but on hosted development urls, I received the checks.state argument is missing error. Do you think this error could be related to the actual URL? Or could it be related to environment variables? I have set up the same environment variables to test that theory but still no luck getting past the issue on developement urls
Iām receiving this error as well using that package. I just dropped an issue in github. Everything works great for me in every browser except Safari both on localhost and hosted on vercel.
Yeah, I was able to get past it on my deployed production URL by re-entering my environment variables but when Vercel auto deploys on a PR - with a sort of https://<regular-url>-<random-url>.vercel.app - I receive this error. My environment variables are all set for development and production so I feel like it has to do with the callback urls within Auth0.
Iāve attempted things like https://<regular-url>* and https://*.vercel.app but neither have worked. I even put a full url that was created with a PR auto deploy and it still didnāt work so Iām unsure what to try next.
Same problem here as well, became noticeable once I tried adding an API with authentication protected routes as well, the login button throws the error.
I really hope my message will help some of you.
After having struggled quite a lot, I finally found what was the origin of the problem in my case :
My website is deployed on Netlify, and Iām using the ā@auth0/nextjs-auth0ā dependenciy. Locally, Iām using netlify cli to test it, with the ānetlify devā command instead of the default Next.js command ānpm run devā.
While with ānpm run devā the environment variables are read from the .env.local file, using ānetlify devā the environment variables are directly injected from the production dashboard environment variables, causing this issue because it brings the AUTH_BASE_URL from production.
In order to ignore the production ones (or override them when testing locally), I created a .env.development file with a AUTH0_BASE_URL=http://localhost:8888 instead of the AUTH0_BASE_URL=https://.netlify.app, and it works fine!
