BadRequestError: state mismatch


Few days back my auth0 integration with node.js using express-openid-connect was working … but now it started giving error after the authentication done

BadRequestError: state mismatch, expected eyJyZXR1cm5UbyI6Ii8ifQ, got: hKFo2SBOVEhFUHlkWnA0SzBWTDgyM1l3cHRkMnF5eHBpdTNGNqFupWxvZ2luo3RpZNkgVU4wRS1mWXdkbG80MDFIZzk4WHZ5bUtNcWhoc3drdXGjY2lk2SBqVlRPbDQ2T2NKVTR4d2pRdnBZMlNnNUxJNGZOZzN3NQ
at /home/ubuntu/ProUserManagement/node_modules/express-openid-connect/middleware/auth.js:121:19
at processTicksAndRejections (internal/process/task_queues.js:95:5)

Hi @anil.kukreti,

Welcome to the Auth0 Community!

Can you please provide details on the version of the modules you are using?

Hi Dan Woda ,

Thanks a lot for taking time to reply on question.

Further , I extend my sincere apologies for replying so late.

I am using express-openid-connect 2.6.0 version.
I noticed initially after the auth flow gets completed … I get bad state error (exception is thrown in logs) but if i refresh the page , I get success result and landup to right page . So for now I am just hiding error due to bad state , via express error handler and proceeding to the dashboard once authentication completes.

But still bad error exception is there.


Have you tried the most recent version?

Also, have you looked through this thread? state mismatch error · Issue #170 · auth0/express-openid-connect · GitHub

Yes I have tried the recent version , Its the same problem…

Can you please share the code you are using? I would like to try to reproduce the error.

Here it is

        issuerBaseURL: sharedLC.ISSUER_BASE_URL,
        baseURL: sharedLC.BASE_URL,
        clientID: sharedLC.CLIENT_ID,
        secret: sharedLC.CLIENT_SECRET,
        idpLogout: true,
        // authRequired: false,
        auth0Logout: true,

// error handler
app.use((err, req, res, next) => {
    if (err.message.includes('state mismatch')) {
    } else {
        res.status(500).send('Something broke!' + err.message)


app.get('/', async (req, res) => {
    var body = req.body;

Thanks for sharing. I don’t see any glaring issues here (although it appears you are using your client_secret as the generic app secret, which is not recommended).

I’m not seeing other reports of this issue, which leads me to believe this is isolated to your application. Is there any other info you can provide? What changed when you started seeing this error?