Auth0 Home Blog Docs

How do I avoid a0.invalid_state



I am trying to get the login callback working. Currently it looks like this…

protected void getCallback(
        final HttpServletRequest req,
        final HttpServletResponse res
) throws IOException {
    service.handleCallback(req, res);
public void handleCallback(HttpServletRequest req, HttpServletResponse res) throws IOException {
    try {
        Tokens tokens = controller.handle(req); // breaks here
        TokenAuthentication tokenAuth = new TokenAuthentication(JWT.decode(tokens.getIdToken()));
        System.out.println("Questioning Reality Because it is redirecting correctly");
    } catch (AuthenticationException | IdentityVerificationException e) {
        System.out.println("We are where I thought we would be");

But when it gets to the point where it breaks it says the state is invalid. If I check my Auth0 logs I see a successful login. What am I missing? I am using mod_proxy if that could be doing something.

The error I get is…

com.auth0.InvalidRequestException: The request contains an error: a0.invalid_state
	at com.auth0.RequestProcessor.assertValidState(
	at com.auth0.RequestProcessor.process(
	at com.auth0.AuthenticationController.handle(


I can run it locally and it works. When that happens at this line…

return getSession(req).getAttribute(name);

I debug and run


On the local I see true, but on the remote instance I see false. Could it be that the mod_proxy is causing the session info to be lost?


Hey ,

Did you find out a solution for this ? am having the same issue when I redirect the callback to localhost ?



Did you manage to fix this issue, if yes could you please post the solution.