BadRequestError: state mismatch

anil.kukreti · March 29, 2022, 2:23am

Hi

Few days back my auth0 integration with node.js using express-openid-connect was working … but now it started giving error after the authentication done

BadRequestError: state mismatch, expected eyJyZXR1cm5UbyI6Ii8ifQ, got: hKFo2SBOVEhFUHlkWnA0SzBWTDgyM1l3cHRkMnF5eHBpdTNGNqFupWxvZ2luo3RpZNkgVU4wRS1mWXdkbG80MDFIZzk4WHZ5bUtNcWhoc3drdXGjY2lk2SBqVlRPbDQ2T2NKVTR4d2pRdnBZMlNnNUxJNGZOZzN3NQ
at /home/ubuntu/ProUserManagement/node_modules/express-openid-connect/middleware/auth.js:121:19
at processTicksAndRejections (internal/process/task_queues.js:95:5)

dan.woda · March 30, 2022, 2:58pm

Hi @anil.kukreti,

Welcome to the Auth0 Community!

Can you please provide details on the version of the modules you are using?

anil.kukreti · April 6, 2022, 5:05am

Hi Dan Woda ,

Thanks a lot for taking time to reply on question.

Further , I extend my sincere apologies for replying so late.

I am using express-openid-connect 2.6.0 version.
I noticed initially after the auth flow gets completed … I get bad state error (exception is thrown in logs) but if i refresh the page , I get success result and landup to right page . So for now I am just hiding error due to bad state , via express error handler and proceeding to the dashboard once authentication completes.

But still bad error exception is there.

Thanks

dan.woda · April 6, 2022, 4:09pm

Have you tried the most recent version?

Also, have you looked through this thread? state mismatch error · Issue #170 · auth0/express-openid-connect · GitHub

anil.kukreti · April 12, 2022, 3:50am

Yes I have tried the recent version , Its the same problem…

dan.woda · April 12, 2022, 3:32pm

Can you please share the code you are using? I would like to try to reproduce the error.

anil.kukreti · April 12, 2022, 3:48pm

Here it is

app.use(
    auth({
        issuerBaseURL: sharedLC.ISSUER_BASE_URL,
        baseURL: sharedLC.BASE_URL,
        clientID: sharedLC.CLIENT_ID,
        secret: sharedLC.CLIENT_SECRET,
        idpLogout: true,
        // authRequired: false,
        auth0Logout: true,
    }),
);


// error handler
app.use((err, req, res, next) => {
    console.error(err.stack)
    if (err.message.includes('state mismatch')) {
        res.redirect("https://webadmin.super2110.com");
    } else {
        res.status(500).send('Something broke!' + err.message)
    }

})




app.get('/', async (req, res) => {
    var body = req.body;
    console.log(req.oidc.user);
});

dan.woda · April 12, 2022, 8:22pm

Thanks for sharing. I don’t see any glaring issues here (although it appears you are using your client_secret as the generic app secret, which is not recommended).

I’m not seeing other reports of this issue, which leads me to believe this is isolated to your application. Is there any other info you can provide? What changed when you started seeing this error?