Auth0 Home Blog Docs

Internal Server Error on /oauth/token : Cannot read property 'state' of undefined



I am trying to check that a user’s password is correct by calling the /oauth/token endpoint as recommended here…

However, the response is an internal server error with this content

"{\"error\":\"access_denied\",\"error_description\":\"Cannot read property 'state' of undefined\"}"

This tells me that the state property is trying to be accessed on an undefined object in JavaScipt, but I can’t see where I am going wrong. This code is from the Auth0 C# example.

        var client = new RestClient("https://login.[domain].com/oauth/token");
        var request = new RestRequest(Method.POST);
        request.AddHeader("content-type", "application/json");
        request.AddParameter("application/json", "{\"grant_type\":\"password\",\"username\": \"<<<hidden>>>\",\"password\": \"<<<hidden>>>\",\"audience\": \"https://[tenant]\", \"scope\": \"openid profile\", \"client_id\": \"82Usz<<<hidden>>>wCciSUuppI\", \"client_secret\": \"OTfmm_Xri8c<<<hidden>>>r6f-QX2f\"}", ParameterType.RequestBody);
        IRestResponse response = client.Execute(request);

I have played around with this a lot

  • removing the audience and scopes to prompt the defaults

  • changing the username or password - which gives a different error indicating that they are correct originally

  • using a different client id and secret - which surprisingly does not change the error

  • running the code directly after this user has been authenticated which works fine using the following code in conjuction with the Authentication API…

              var code = HttpContext.Request.QueryString[codeKey];
              AuthenticationApiClient client = new AuthenticationApiClient(
              new Uri(string.Format("https://{0}", ConfigurationManager.AppSettings["auth0:Domain"])));
              var token = await client.GetTokenAsync(new AuthorizationCodeTokenRequest
                  ClientId = ConfigurationManager.AppSettings["auth0:ClientId"],
                  ClientSecret = ConfigurationManager.AppSettings["auth0:ClientSecret"],
                  Code = code,
                  RedirectUri = HttpContext.Request.Url.ToString()
  • adding Username-Password-Authentication as the Default Directory in Tenant Settings

I have tried through the authentication API, fiddler, http request but nothing has worked and the Internal Server Error isn’t giving me much to go on. Where am I going wrong please?


Are you using custom domains? Your rest URL doesn’t look right as it doesn’t match the audience you have. It should be at [tenant]

I would recommend using Postman to try calling the /oauth/token endpoint directly. Once you get it to work in postman, then you know that the tenant is fine, and there might be something wrong with the call that the C# code is making. I’ve seen weird errors when the body of the call is not actually JSON, but a JSON serialized string instead. It could be related to that.