Can't base64 decode state parameter on auth callback

Help
,
1

Hello,
Following the guide state parameters, we are trying to send a state parameter and when we receive on the callback a state parameter and we base64 decode it it does not equal to the original state we have sent.
in fact it looks like the state parameter isn’t properly encoded.

3

Hi @chemiu,

Welcome to the Auth0 Community!

I think we need a more information. Can you post a code block with your initial request and how you decode the state?

4

Thank you,
We have followed the quick start guide for ruby rails quick start,
we have added code to send a state

#code from html template:
<%= button_to 'Login', '/auth/auth0', method: :post, params: {'state' => @state} %>

#auth0_controller.rb
def page
    uuid ='xyzABC123'
    persistent_state = { uuid:uuid }
    cookies.signed[:persistent_state] = { value: persistent_state, expires: 60.minutes.from_now }
    @state = uuid
    render :template => "page"
end
persistent = cookies.signed[:persistent_state]
def callback
    ...
    state = Base64.decode64(params[:state])
    # the state retrieved is malformed 
end
5

Thanks for providing that extra info. Can you also show us a sample of the state that is returned when you pass xyzABC123? I would like to try decoding it.

6

Hello
I am attaching the post call to the auth0 route

curl 'https://local.test-auth0.com:3000/auth/auth0' \
  -H 'Connection: keep-alive' \
  -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' \
  -H 'sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: https://local.test-auth0.com:3000' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: navigate' \
  -H 'Sec-Fetch-User: ?1' \
  -H 'Sec-Fetch-Dest: document' \
  -H 'Referer: https://local.test-auth0.com:3000/auth/patient/47' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: _ga=GA1.1.1941926334.1626265408; locale=en; _ga=GA1.2.1941926334.1626265408; persistent_state=eyJwYXRpZW50IjoiNDciLCJ1dWlkIjoieHl6QUJDMTIzIn0%3D--37bae0ff068266c7ddc9fd956d5e80cea80e4fa2; _gid=GA1.1.918905198.1626669178; _gid=GA1.2.918905198.1626669178; hash_route=#/patient-page/47; development_token_id=ImEzNGYyN2QwYWVmYWRmY2Qi--7cfbaf065c80a6ee9e2729770b8ed8c1aaf33153; development_pi_token=IlhJaG43eEJVZUd6VllhbWdIMmpJakdoTmRGRERtTTlabTVSYVI0RHhxaVki--476777c40a90d9ace3a4f4fdb7e578413b0df6f9; development_audyx_token=IkZBd0JYLVViOXNwS0t1amhxYm9oIg%3D%3D--5a531f0855d3b9fe4ca05c24a3d913559fba1815; XSRF-TOKEN=zGyRS0sFS9OeoeRGpc40k%2BpGybvRlhQGDq1P0bfT%2ByRe3i%2FGWRyZInNXxpKdvFEBTWHh1xBmbNElvlvGkULSFg%3D%3D; _audyx_session=Vk1sekhIQ1F0TUs0YXFIUDZneW05YzlxZ3VmdDl1SUVjUUhQSzd3ZkJvNFlDaTBwZXViS3VvQm1tanI1YXI4MDhYdjYxMEFyNnpyTjhOamhGSTFIeU5LL1JhTkVMMVhDamVyZ2xQSEU2UHk0MW9McDN4Vmc2SXh4MHgxZjBHa1M3QVZjQUFxVzFvNzJGNS9XSkdXSW5SVE81ZGp3QWZyaGUyVVF6REhXQ3Y5NW5LaWN6V2d6WTM5bEdQRnlwSm96bDVGM1NReEJRS3dxcjJSSVpuWUtLcmxjaTJraHZPZDdnV01pZUxzdjNBVGh2VXk3ZjhDcXlCSUk2aUM1Nkp2anVlTlBUWm1vai8yeXB3S1RORXNtNzFTTkQ2cWF3SGpFTng3ZnFzb2VGK21leHRhSzhtZ3VSTUQwaFJDZ2Y0K3I2TS82a3VHSTZZOTdxaFhVdFBDcE1wL0pMUnIvUWZsRWV6cmlEdDk1YjBHMHpyV04zVlpXOTlEdFUzampCVHVWR09mdy9oVFBncDFaTTIydXcxSm5VSFUya0p6TDJML1Mxb1EvQiszZE40YVZ4RDlpTllYTlRlbW1Ca2dicjh6Ym02TjZTUjhHVkNmWm02bmM0RG9hVmxyMWgwd1FvZzU3T2V3TDAxSkpsN21Vd2JpZ1MrNEZOcUZEdE1PWXk4STRGSXl2M2tvQ3BwV3QwUTN3WEFveTVReDN1aFd2QnJxeHNIT25mNDl4a1FqK21TTGVrdWV6cHd5blFCQWZQRmt5eU4rc0RIa3h0UlBVbDhHeC9lcFdodzNoem1tY0lnTHRUb3hUSXE3aFd0eDZHMkQrbHpZcTg3ZVdKOVErckJ1QkRsa05uVjlZbVIrQ2VlWk5LNDg0Ym4ybC82cUZNSzhhM0NTRm9FaThQR3lBL2QrdjVaUitMejZGcUtOMnVkcXdCUmkrVlF4bVgrTU5yNStWNzNIa25QaDJXMW16eEF3YzRtNTNGVU1LL2RUMmZIbEJiQzBiTWV0dWlXWUh4QnBWZXVsZStNN1M5MUprU2lLaGw5Q1ZXaDZUTzZ6dXk4dGlycFRjNHJWSkM4UG5UamFud3BET1FrVlExMXZyTGMzZUxJS3B6UVpTR0o3QWNyUTBEUTlWMGRWMTk4ak93dDRnSnp5UkNPT3hnV1FDQTBJbGZQR0k0VFU4cFNObWdQSmVJNzVvTzRKZ3FZYi80K2tGazVvRE5CM08vYmVaNlNWcUlNVzJUaVV1NGpCTjVsNUtHSEVmOUtTWE9kZUJPMXFaU1orWVozbndWWkI3M1dyUFhXWWNib1N2RlFTZm5WMG5Dc3NIQ1FyRS95ajl6aUI5dU1ZRStzZFh2VFhWRDdNNm9oZ09LTy9pUU9qa2NVTm4rdzVtMnlRYjFkMDMrQmxWWlJhbk5JWS9kYVlyZFJONVp6MDJPNHg1MWZHSWZuR0Zrb2I3aUhaajJhMFRMWWZmcHdtbEZDTitSdkxhaHJIWmFpZHRKZldRd3U5T1I4RlJsVlpZdkFsdjlOdVV5aFNrL3BvQlhsbjEyNXhGenJJR1cvWTZtdz09LS1kSEJ5dFZvTXk4SnZLOGFON1BIVWhnPT0%3D--c575245a860ef9a2412ee49ac65124d3f68b546b' \
  --data-raw 'authenticity_token=lhGazqJVvIkZ0%2BHzvBtw8uFlyMAgvG24l9uX4j1iulcEoyRDsExuePQlwyeEaRVgRkLgrOFMFW%2B8yIP1G%2FOTZQ%3D%3D&state=xyzABC123' \
  --compressed ;

and the response state
753ed15cdd247cc7bc9e84d4934dc16433eb7890ed522566

Thank you

10

Hi @dan.woda , any luck?

11

Hi @chemiu,

I can’t seem to decode that. I am wondering if it isn’t malformed, but it is simply not the original state you tried to send. Are you seeing your state value being sent in the original request? If you use DevTools, do you see your state in the request?