Auth0 Home Blog Docs

Hosted login - select_account breaks state

bug
hosted-login-page

#1

Hi there!

I believe that we are experiencing a bug. We are using the hosted login page. With the following auth configuration in new Auth0Lock(config.clientID, config.auth0Domain, { ... }):

auth: {
        redirectUrl: config.callbackURL,
        responseType: (config.internalOptions || {}).response_type ||
          (config.callbackOnLocationHash ? 'token' : 'code'),
        params: { prompt: 'select_account'} 
      },

After successfully logging in we receive an error response after this callback is parsed:

callback:
http://localhost:9000/callback#access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9FUkRRVEF5TVVKQlJrRkRPVFl3TTBNd1JUTXhSRVk0TVVaRFF6aERNVUpGUmpJME5EY3pRdyJ9.eyJodHRwczovL2FwaS5hbWlvLmlvL2VtYWlsIjoiemF0emlreStzdGFuZGFsb25lQGdtYWlsLmNvbSIsImh0dHBzOi8vYXBpLmFtaW8uaW8vb3JnYW5pemF0aW9uSWQiOiIxNTM1MTExOTQ5ODczODEiLCJpc3MiOiJodHRwczovL2VudGVyLmFtaW8uaW8vIiwic3ViIjoiYXV0aDB8NWI3ZmYyYTc0NTk2MWIwMTg5MTA3OWU2IiwiYXVkIjpbImh0dHBzOi8vYXBwLmFtaW8uaW8iLCJodHRwczovL2FtaW8uZXUuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTUzODU1MDI5MywiZXhwIjoxNTM4NTU3NDkzLCJhenAiOiJXMGZBUUJnQzVoNGJFaEpjaFdFRUdzeXh4WE4wY3I5MyIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwifQ.a98FTUUxf6sxOKdDXj59sTvaqTuwm-0KjpIypVg-ap-6Eh7109itp5iF8-AbcM8wzVvVqGu1lTAGfVc9DXku2zD602PnMkyTy_ybB_occf8vFrds6OrMIwKiKSGXfmx27QsSlLJFiWObaygbjFyPlVZi1XwK-_4eqV7yjTzIAHHuBEjCtW6ig5FnDfXC_sBNDXDSBk5vCeO68uYjG_eyIKLGTppXVOM-kaD7YGWjqeksUePQ-X4XVaGLkbjoWMIv31QQX55TsK7KpP3sdxxCzVWwbIOqAia-sqPJFBDAgBY9fkoGpd9jOc88hATnI7nQNkShNwO4BnU26j9RUTGclQ&expires_in=7200&token_type=Bearer&state=HZUjsntmgZVem9FyN5did0Oq7KlJJJxK&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9FUkRRVEF5TVVKQlJrRkRPVFl3TTBNd1JUTXhSRVk0TVVaRFF6aERNVUpGUmpJME5EY3pRdyJ9.eyJuaWNrbmFtZSI6InphdHppa3krc3RhbmRhbG9uZSIsIm5hbWUiOiJ6YXR6aWt5K3N0YW5kYWxvbmVAZ21haWwuY29tIiwicGljdHVyZSI6Imh0dHBzOi8vcy5ncmF2YXRhci5jb20vYXZhdGFyLzc3NmMzOWU1M2RjM2EwMjk3ZjU0NzE3OGFmYWRjYWNjP3M9NDgwJnI9cGcmZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGemEucG5nIiwidXBkYXRlZF9hdCI6IjIwMTgtMTAtMDNUMDc6MDQ6NTMuMTgwWiIsImVtYWlsIjoiemF0emlreStzdGFuZGFsb25lQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiaXNzIjoiaHR0cHM6Ly9lbnRlci5hbWlvLmlvLyIsInN1YiI6ImF1dGgwfDViN2ZmMmE3NDU5NjFiMDE4OTEwNzllNiIsImF1ZCI6IlcwZkFRQmdDNWg0YkVoSmNoV0VFR3N5eHhYTjBjcjkzIiwiaWF0IjoxNTM4NTUwMjkzLCJleHAiOjE1Mzg1NTAzNTMsImF0X2hhc2giOiJFMS1teE05cy1laU1zOHJETUZyV0l3Iiwibm9uY2UiOiJQQnBOOUxHeHpDRFJnWWNxbzNkWGtmeXBLR1hnVGVISyJ9.JgX08vg57B5cSVj0OBgQL3hYB8_xlcxaqssSCQrMhB7EYcF8nnMDJRdoTT7JSAWGO2rrPJ7rKPrvlbuP5nEyPapjWJaiRaLl-0mMBhJc90m5iZgGPZ8Zx57G8dqJz07bh46LMPrJjKeEoDI6MXrlM5xaXFWS5sN2BohGFdFCqcjTghQnBL44Eucod1-fb5wtERU0Yxi5UnpXG-FJEmRoKJeSSGU4UPPhgg35jneAkvI1v5rE2XqHzk6yt3XVnNPMAw5KEhHSqZrZFjh9V5iIKbWEyJlUpf48iOlSbMMRiFUQUZtANc4kEleUdq0hshuo8zQeMJIRCwhngHv2u7fJLQ

Error after parsing with this.auth0.parseHash((err, authResult) => {

{error: "invalid_token", errorDescription: "`state` does not match."}

The states are really different. When our app navigates to hosted login the state is TAq_UNSQtX0NUqweU2Ldx_nxO6zo44Mu, after the successful login the callback contains HZUjsntmgZVem9FyN5did0Oq7KlJJJxK. We are not modifying state by any means.

Auth0 logs report no errors.

It works if we use auth: params: config.internalOptions instead of auth: params: { prompt: 'select_account'}. But we need select_account to let users pick from multiple gmail accounts.

The affected client ID on localhost isW0fAQBgC5h4bEhJchWEEGsyxxXN0cr93.
If we do the same on the staging client with ID 0FahBRRJJtYnK7lCoGHduwHBF4sbHecZ we receive a different error:

{statusCode: 403, description: "Invalid state", name: "AnomalyDetected", code: "access_denied"}

This attampt on staging is not even logged in Auth0 logs.

Kind regards,

Nobo