Custom Domain Universal Login - Sign Up Works, but Login Fails with "Invalid state" Error

kasunwijerathnaiit · December 24, 2024, 1:28am

We’re facing an issue with our Auth0 Universal Login page using a custom domain (auth.example.com). While Sign-Up works seamlessly, Login consistently fails with the following error:

{
“statusCode”: 403,
“description”: “Invalid state”,
“name”: “AnomalyDetected”,
“code”: “access_denied”
}

Key Details:

Custom Domain: auth.example.com
Callback URL: https://my.example.com
Allowed Callback URLs, Logout URLs, and Web Origins:** Configured correctly
Sign-Up via Universal Login: Works without issues
“Try Now” button from Auth0 Dashboard: Login works perfectly

Observed Behavior:

When attempting login via our custom login implementation, the above error is triggered. However, using the Auth0 Dashboard’s “Try Now” button for the same flow, login succeeds without any errors.

Steps Taken:

Verified Allowed Callback URLs, Logout URLs, and Web Origins.
Ensured cookies are enabled in the browser.
Checked DNS configuration for the custom domain.
Cleared browser cache and cookies.
Compared settings between dashboard “Try Now” flow and our implementation.

Looking for assistance in identifying why this error occurs and how to resolve it. Any insights or suggestions would be greatly appreciated!

kasunwijerathnaiit · December 24, 2024, 1:35am

code for the login is similar to the one below.

window.addEventListener('load', function () {
  var config = {
    domain: 'auth.example.com',
    clientID: 'My_Client_ID',
    callbackURL: 'https://my.example.com'
  };

  var webAuth = new auth0.WebAuth({
    domain: config.domain,
    clientID: config.clientID,
    redirectUri: config.callbackURL,
    responseType: 'code',
    scope: 'openid profile email',
  });

  // Login functionality
  document.getElementById('btn-login').addEventListener('click', function () {
    var email = document.getElementById('email').value;
    var password = document.getElementById('password').value;

    webAuth.login({
      realm: 'Username-Password-Authentication',
      username: email,
      password: password,
    }, function (err) {
      if (err) {
        console.error(err);
      }
    });
  });
});

sumansaurav · December 24, 2024, 2:47pm

Hi @kasunwijerathnaiit,

Can you try using redirect_uri instead of redirectUri in the WebAuth method?

kasunwijerathnaiit · December 24, 2024, 5:00pm

Hi @sumansaurav. i changed it like that and checked now. but got same error…

sumansaurav · December 24, 2024, 6:47pm

So, the ‘Invalid State’ error caused due to state parameter missing or not matching from initial value.

Here is few community post that could help you:

Topic		Replies	Views
Universal Login returns "NotFoundError" statusCode: 404 after configuring Custom Domain Help error , custom-domain , universal-login	2	2873	April 27, 2021
403 Invalid state error from custom login page Knowledge Articles custom-login , 403 , invalid , state	1	1805	January 26, 2023
Error with Google login on custom domain Help auth0 , login	9	11869	October 20, 2018
Custom Domain Issue Help classic-universal-login-experience , login-experience	0	1087	November 18, 2022
Universal Login Page template weirdness Help	4	1697	July 28, 2022

Custom Domain Universal Login - Sign Up Works, but Login Fails with "Invalid state" Error

Related topics