Auth0 Home Blog Docs

Clicking back button after login to callback link throws invalid token state does not match

auth0
invalid_token
#1

After successful login, callback url gets called and redirects to http://localhost:3000/dashboard

Now I click back button on my chrome browser, browser tries to go to http://localhost:3000/callback#access_token=…&expires_in=…&state=… etc.

At this point, my handleAuthentication function gets called:

handleAuthentication = myhas => {
  this.auth0.parseHash((err, authResult) => {
    if (authResult && authResult.accessToken && authResult.idToken) {
      this.setSession(authResult);
      this.history.push("dashboard");
    } else if (err) {
      this.history.push("/");
      alert(`Error: ${err.error}. Check the console for further details.`);
      console.log(err);
    }
  });
};

Issue is that this.auth0.parseHash always errors out with:

{error: “invalid_token”, errorDescription: “state does not match”}

How are you guys handling user pressing back button after successful login, which triggers callback url again?

#2

Hi there @Won, I’d be happy to take a look at what may be going on here. When you get a chance can you snag a HAR file of the current workflow when the error presents itself along with your tenant name and DM them over to me so I can take a deeper look at what may be occurring? Please let me know if you have any questions. Thanks!

#4

Thank you. Please note that when you click on back on browser, it does not make a request over the network. Change in url gets caught by react router and runs Callback component.

here is screenshot to clarify: https://drive.google.com/open?id=1cSPZ-_vHUaFH607aVUSRsssWuvh7z8RG

Thanks again.

#6

After talking with support I was able to confirm that the auth flow from this state has already been consumed as intended. It is not within the standard workflow for the end user to click the back button and it to perform like nothing occurred. Because of this we don’t have a workaround for this situation. Please let me know if you have any additional questions on this matter.

closed #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.