Hosted login - select_account breaks state

Hi there!

I believe that we are experiencing a bug. We are using the hosted login page. With the following auth configuration in new Auth0Lock(config.clientID, config.auth0Domain, { ... }):

auth: {
        redirectUrl: config.callbackURL,
        responseType: (config.internalOptions || {}).response_type ||
          (config.callbackOnLocationHash ? 'token' : 'code'),
        params: { prompt: 'select_account'} 
      },

After successfully logging in we receive an error response after this callback is parsed:

callback:
http://localhost:9000/callback#access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9FUkRRVEF5TVVKQlJrRkRPVFl3TTBNd1JUTXhSRVk0TVVaRFF6aERNVUpGUmpJME5EY3pRdyJ9.eyJodHRwczovL2FwaS5hbWlvLmlvL2VtYWlsIjoiemF0emlreStzdGFuZGFsb25lQGdtYWlsLmNvbSIsImh0dHBzOi8vYXBpLmFtaW8uaW8vb3JnYW5pemF0aW9uSWQiOiIxNTM1MTExOTQ5ODczODEiLCJpc3MiOiJodHRwczovL2VudGVyLmFtaW8uaW8vIiwic3ViIjoiYXV0aDB8NWI3ZmYyYTc0NTk2MWIwMTg5MTA3OWU2IiwiYXVkIjpbImh0dHBzOi8vYXBwLmFtaW8uaW8iLCJodHRwczovL2FtaW8uZXUuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTUzODU1MDI5MywiZXhwIjoxNTM4NTU3NDkzLCJhenAiOiJXMGZBUUJnQzVoNGJFaEpjaFdFRUdzeXh4WE4wY3I5MyIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwifQ.a98FTUUxf6sxOKdDXj59sTvaqTuwm-0KjpIypVg-ap-6Eh7109itp5iF8-AbcM8wzVvVqGu1lTAGfVc9DXku2zD602PnMkyTy_ybB_occf8vFrds6OrMIwKiKSGXfmx27QsSlLJFiWObaygbjFyPlVZi1XwK-_4eqV7yjTzIAHHuBEjCtW6ig5FnDfXC_sBNDXDSBk5vCeO68uYjG_eyIKLGTppXVOM-kaD7YGWjqeksUePQ-X4XVaGLkbjoWMIv31QQX55TsK7KpP3sdxxCzVWwbIOqAia-sqPJFBDAgBY9fkoGpd9jOc88hATnI7nQNkShNwO4BnU26j9RUTGclQ&expires_in=7200&token_type=Bearer&state=HZUjsntmgZVem9FyN5did0Oq7KlJJJxK&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9FUkRRVEF5TVVKQlJrRkRPVFl3TTBNd1JUTXhSRVk0TVVaRFF6aERNVUpGUmpJME5EY3pRdyJ9.eyJuaWNrbmFtZSI6InphdHppa3krc3RhbmRhbG9uZSIsIm5hbWUiOiJ6YXR6aWt5K3N0YW5kYWxvbmVAZ21haWwuY29tIiwicGljdHVyZSI6Imh0dHBzOi8vcy5ncmF2YXRhci5jb20vYXZhdGFyLzc3NmMzOWU1M2RjM2EwMjk3ZjU0NzE3OGFmYWRjYWNjP3M9NDgwJnI9cGcmZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGemEucG5nIiwidXBkYXRlZF9hdCI6IjIwMTgtMTAtMDNUMDc6MDQ6NTMuMTgwWiIsImVtYWlsIjoiemF0emlreStzdGFuZGFsb25lQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaXNzIjoiaHR0cHM6Ly9lbnRlci5hbWlvLmlvLyIsInN1YiI6ImF1dGgwfDViN2ZmMmE3NDU5NjFiMDE4OTEwNzllNiIsImF1ZCI6IlcwZkFRQmdDNWg0YkVoSmNoV0VFR3N5eHhYTjBjcjkzIiwiaWF0IjoxNTM4NTUwMjkzLCJleHAiOjE1Mzg1NTAzNTMsImF0X2hhc2giOiJFMS1teE05cy1laU1zOHJETUZyV0l3Iiwibm9uY2UiOiJQQnBOOUxHeHpDRFJnWWNxbzNkWGtmeXBLR1hnVGVISyJ9.JgX08vg57B5cSVj0OBgQL3hYB8_xlcxaqssSCQrMhB7EYcF8nnMDJRdoTT7JSAWGO2rrPJ7rKPrvlbuP5nEyPapjWJaiRaLl-0mMBhJc90m5iZgGPZ8Zx57G8dqJz07bh46LMPrJjKeEoDI6MXrlM5xaXFWS5sN2BohGFdFCqcjTghQnBL44Eucod1-fb5wtERU0Yxi5UnpXG-FJEmRoKJeSSGU4UPPhgg35jneAkvI1v5rE2XqHzk6yt3XVnNPMAw5KEhHSqZrZFjh9V5iIKbWEyJlUpf48iOlSbMMRiFUQUZtANc4kEleUdq0hshuo8zQeMJIRCwhngHv2u7fJLQ

Error after parsing with this.auth0.parseHash((err, authResult) => {

{error: "invalid_token", errorDescription: "`state` does not match."}

The states are really different. When our app navigates to hosted login the state is TAq_UNSQtX0NUqweU2Ldx_nxO6zo44Mu, after the successful login the callback contains HZUjsntmgZVem9FyN5did0Oq7KlJJJxK. We are not modifying state by any means.

Auth0 logs report no errors.

It works if we use auth: params: config.internalOptions instead of auth: params: { prompt: 'select_account'} . But we need select_account to let users pick from multiple gmail accounts.

The affected client ID on localhost isW0fAQBgC5h4bEhJchWEEGsyxxXN0cr93.
If we do the same on the staging client with ID 0FahBRRJJtYnK7lCoGHduwHBF4sbHecZ we receive a different error:

{statusCode: 403, description: "Invalid state", name: "AnomalyDetected", code: "access_denied"}

This attampt on staging is not even logged in Auth0 logs.

Kind regards,

Nobo

Same problem, did you find a solution?

Edit: Reassigning or modifying config.internalOptions to add { prompt: “select_account” } does not work, seems like it just gets ignored.

@JanErikFoss Hey Jan, I was solving the issue in a private thread with the support team. The solution is really simple:

params: Object.assign(config.internalOptions, { prompt: 'select_account'})

Thanks for sharing that @zatziky with the res of community!

Doesn’t seem to work for me. Same result whether I put it in the options object or not. Logging the options object to console confirms that it contains { prompt: “select_account” } in addition to the other values.

Like the original post said, if I replace the options object with only { prompt: “select_account” }, then it works. (But I get errors later on because I’m missing state).

Actually, I was using incognito mode to test, which means I’m only going to have that one Google account available. I guess the account picker window is never shown if you only have 1 account available.

It’s kinda not working for me as I would expect too. It’s not always letting me pick the account (even with more gmail accounts). But it’s up to Google, not to Auth0.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.