Hosted login - select_account breaks state

zatziky · October 3, 2018, 7:55am

Hi there!

I believe that we are experiencing a bug. We are using the hosted login page. With the following auth configuration in new Auth0Lock(config.clientID, config.auth0Domain, { ... }):

auth: {
        redirectUrl: config.callbackURL,
        responseType: (config.internalOptions || {}).response_type ||
          (config.callbackOnLocationHash ? 'token' : 'code'),
        params: { prompt: 'select_account'} 
      },

After successfully logging in we receive an error response after this callback is parsed:

callback:
http://localhost:9000/callback#access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9FUkRRVEF5TVVKQlJrRkRPVFl3TTBNd1JUTXhSRVk0TVVaRFF6aERNVUpGUmpJME5EY3pRdyJ9.eyJodHRwczovL2FwaS5hbWlvLmlvL2VtYWlsIjoiemF0emlreStzdGFuZGFsb25lQGdtYWlsLmNvbSIsImh0dHBzOi8vYXBpLmFtaW8uaW8vb3JnYW5pemF0aW9uSWQiOiIxNTM1MTExOTQ5ODczODEiLCJpc3MiOiJodHRwczovL2VudGVyLmFtaW8uaW8vIiwic3ViIjoiYXV0aDB8NWI3ZmYyYTc0NTk2MWIwMTg5MTA3OWU2IiwiYXVkIjpbImh0dHBzOi8vYXBwLmFtaW8uaW8iLCJodHRwczovL2FtaW8uZXUuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTUzODU1MDI5MywiZXhwIjoxNTM4NTU3NDkzLCJhenAiOiJXMGZBUUJnQzVoNGJFaEpjaFdFRUdzeXh4WE4wY3I5MyIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwifQ.a98FTUUxf6sxOKdDXj59sTvaqTuwm-0KjpIypVg-ap-6Eh7109itp5iF8-AbcM8wzVvVqGu1lTAGfVc9DXku2zD602PnMkyTy_ybB_occf8vFrds6OrMIwKiKSGXfmx27QsSlLJFiWObaygbjFyPlVZi1XwK-_4eqV7yjTzIAHHuBEjCtW6ig5FnDfXC_sBNDXDSBk5vCeO68uYjG_eyIKLGTppXVOM-kaD7YGWjqeksUePQ-X4XVaGLkbjoWMIv31QQX55TsK7KpP3sdxxCzVWwbIOqAia-sqPJFBDAgBY9fkoGpd9jOc88hATnI7nQNkShNwO4BnU26j9RUTGclQ&expires_in=7200&token_type=Bearer&state=HZUjsntmgZVem9FyN5did0Oq7KlJJJxK&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9FUkRRVEF5TVVKQlJrRkRPVFl3TTBNd1JUTXhSRVk0TVVaRFF6aERNVUpGUmpJME5EY3pRdyJ9.eyJuaWNrbmFtZSI6InphdHppa3krc3RhbmRhbG9uZSIsIm5hbWUiOiJ6YXR6aWt5K3N0YW5kYWxvbmVAZ21haWwuY29tIiwicGljdHVyZSI6Imh0dHBzOi8vcy5ncmF2YXRhci5jb20vYXZhdGFyLzc3NmMzOWU1M2RjM2EwMjk3ZjU0NzE3OGFmYWRjYWNjP3M9NDgwJnI9cGcmZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGemEucG5nIiwidXBkYXRlZF9hdCI6IjIwMTgtMTAtMDNUMDc6MDQ6NTMuMTgwWiIsImVtYWlsIjoiemF0emlreStzdGFuZGFsb25lQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaXNzIjoiaHR0cHM6Ly9lbnRlci5hbWlvLmlvLyIsInN1YiI6ImF1dGgwfDViN2ZmMmE3NDU5NjFiMDE4OTEwNzllNiIsImF1ZCI6IlcwZkFRQmdDNWg0YkVoSmNoV0VFR3N5eHhYTjBjcjkzIiwiaWF0IjoxNTM4NTUwMjkzLCJleHAiOjE1Mzg1NTAzNTMsImF0X2hhc2giOiJFMS1teE05cy1laU1zOHJETUZyV0l3Iiwibm9uY2UiOiJQQnBOOUxHeHpDRFJnWWNxbzNkWGtmeXBLR1hnVGVISyJ9.JgX08vg57B5cSVj0OBgQL3hYB8_xlcxaqssSCQrMhB7EYcF8nnMDJRdoTT7JSAWGO2rrPJ7rKPrvlbuP5nEyPapjWJaiRaLl-0mMBhJc90m5iZgGPZ8Zx57G8dqJz07bh46LMPrJjKeEoDI6MXrlM5xaXFWS5sN2BohGFdFCqcjTghQnBL44Eucod1-fb5wtERU0Yxi5UnpXG-FJEmRoKJeSSGU4UPPhgg35jneAkvI1v5rE2XqHzk6yt3XVnNPMAw5KEhHSqZrZFjh9V5iIKbWEyJlUpf48iOlSbMMRiFUQUZtANc4kEleUdq0hshuo8zQeMJIRCwhngHv2u7fJLQ

Error after parsing with this.auth0.parseHash((err, authResult) => {

{error: "invalid_token", errorDescription: "`state` does not match."}

The states are really different. When our app navigates to hosted login the state is TAq_UNSQtX0NUqweU2Ldx_nxO6zo44Mu, after the successful login the callback contains HZUjsntmgZVem9FyN5did0Oq7KlJJJxK. We are not modifying state by any means.

Auth0 logs report no errors.

It works if we use auth: params: config.internalOptions instead of auth: params: { prompt: 'select_account'} . But we need select_account to let users pick from multiple gmail accounts.

The affected client ID on localhost isW0fAQBgC5h4bEhJchWEEGsyxxXN0cr93.
If we do the same on the staging client with ID 0FahBRRJJtYnK7lCoGHduwHBF4sbHecZ we receive a different error:

{statusCode: 403, description: "Invalid state", name: "AnomalyDetected", code: "access_denied"}

This attampt on staging is not even logged in Auth0 logs.

Kind regards,

Nobo

JanErikFoss · December 13, 2018, 2:04pm

Same problem, did you find a solution?

Edit: Reassigning or modifying config.internalOptions to add { prompt: “select_account” } does not work, seems like it just gets ignored.

zatziky · December 13, 2018, 2:54pm

@JanErikFoss Hey Jan, I was solving the issue in a private thread with the support team. The solution is really simple:

params: Object.assign(config.internalOptions, { prompt: 'select_account'})

konrad.sopala · December 13, 2018, 4:47pm

Thanks for sharing that @zatziky with the res of community!

JanErikFoss · December 13, 2018, 5:03pm

Doesn’t seem to work for me. Same result whether I put it in the options object or not. Logging the options object to console confirms that it contains { prompt: “select_account” } in addition to the other values.

Like the original post said, if I replace the options object with only { prompt: “select_account” }, then it works. (But I get errors later on because I’m missing state).

JanErikFoss · December 13, 2018, 5:09pm

Actually, I was using incognito mode to test, which means I’m only going to have that one Google account available. I guess the account picker window is never shown if you only have 1 account available.

zatziky · December 14, 2018, 8:37am

It’s kinda not working for me as I would expect too. It’s not always letting me pick the account (even with more gmail accounts). But it’s up to Google, not to Auth0.

system · January 13, 2019, 8:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.