Internal Server Error on /oauth/token : Cannot read property 'state' of undefined

I am trying to check that a user’s password is correct by calling the /oauth/token endpoint as recommended here…

However, the response is an internal server error with this content

"{\"error\":\"access_denied\",\"error_description\":\"Cannot read property 'state' of undefined\"}"

This tells me that the state property is trying to be accessed on an undefined object in JavaScipt, but I can’t see where I am going wrong. This code is from the Auth0 C# example.

        var client = new RestClient("https://login.[domain].com/oauth/token");
        var request = new RestRequest(Method.POST);
        request.AddHeader("content-type", "application/json");
        request.AddParameter("application/json", "{\"grant_type\":\"password\",\"username\": \"<<<hidden>>>\",\"password\": \"<<<hidden>>>\",\"audience\": \"https://[tenant]\", \"scope\": \"openid profile\", \"client_id\": \"82Usz<<<hidden>>>wCciSUuppI\", \"client_secret\": \"OTfmm_Xri8c<<<hidden>>>r6f-QX2f\"}", ParameterType.RequestBody);
        IRestResponse response = client.Execute(request);

I have played around with this a lot

  • removing the audience and scopes to prompt the defaults

  • changing the username or password - which gives a different error indicating that they are correct originally

  • using a different client id and secret - which surprisingly does not change the error

  • running the code directly after this user has been authenticated which works fine using the following code in conjuction with the Authentication API…

              var code = HttpContext.Request.QueryString[codeKey];
              AuthenticationApiClient client = new AuthenticationApiClient(
              new Uri(string.Format("https://{0}", ConfigurationManager.AppSettings["auth0:Domain"])));
              var token = await client.GetTokenAsync(new AuthorizationCodeTokenRequest
                  ClientId = ConfigurationManager.AppSettings["auth0:ClientId"],
                  ClientSecret = ConfigurationManager.AppSettings["auth0:ClientSecret"],
                  Code = code,
                  RedirectUri = HttpContext.Request.Url.ToString()
  • adding Username-Password-Authentication as the Default Directory in Tenant Settings

I have tried through the authentication API, fiddler, http request but nothing has worked and the Internal Server Error isn’t giving me much to go on. Where am I going wrong please?

Are you using custom domains? Your rest URL doesn’t look right as it doesn’t match the audience you have. It should be at [tenant]

I would recommend using Postman to try calling the /oauth/token endpoint directly. Once you get it to work in postman, then you know that the tenant is fine, and there might be something wrong with the call that the C# code is making. I’ve seen weird errors when the body of the call is not actually JSON, but a JSON serialized string instead. It could be related to that.

1 Like

I was having the same issue on a legacy Auth0 tenant which is about 3 years old now.
When switching to a more recently created tenant, this issue wasn’t apparent, so it makes me think it is a resolved infrastructure or caching issue with Auth0.
[EDIT: Please see my latest post as this assumption was NOT correct]
It is something to do with their JS code failing to deserialize a state from a cache somewhere. It has nothing to do with any of our client code we could see, and nothing to do with any Hook or Rule set up to happen at time of login or signup.

Interestingly for me, a second duplicate attempt for /token with password grant type would always work, and return valid tokens instead of this state error. This is what makes me think it is Auth0’s own caching somewhere, because a second request works.

Also, what works, is a call to /authenticate, which returns a login_ticket (not used by an API, but used in their login forms).

curl -X POST \
 auth.your.domain/co/authenticate \
 -H 'Content-Type: application/json' \
 -H 'Origin: https://your.origin.domain' \
 -H 'Referer: your.origin.domain/login.html?mode=signup' \

So make the calls in this order and the token redemption will work for a newly signed up user every time:

  1. auth.your.domain/dbconnections/signup
  2. auth.your.domain/co/authenticate

In your case, just try to call /authenticate before calling /token.

I believe this is a bug in older Auth0 systems.

The issue with cannot retrieve 'state' from undefined was related to my Rules after all.
We had special rules which were querying the request for a state and during signup with the api, the states parent object was undefined, hence the exeption.

This exception in one rule caused all subsequent rules to fail.

When a call to Authenticate is made, it had a state in it, but it also bumped the login count up to 2 (which meant that some of our other rules escaped early).

So in essence, triple check your rules! (facepalm)


Glad you were able to make it work eventually!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.