Are you using custom domains? Your rest URL doesn’t look right as it doesn’t match the audience you have. It should be at [tenant].eu.auth0.com/oauth/token.
I would recommend using Postman to try calling the /oauth/token endpoint directly. Once you get it to work in postman, then you know that the tenant is fine, and there might be something wrong with the call that the C# code is making. I’ve seen weird errors when the body of the call is not actually JSON, but a JSON serialized string instead. It could be related to that.
I was having the same issue on a legacy Auth0 tenant which is about 3 years old now.
When switching to a more recently created tenant, this issue wasn’t apparent, so it makes me think it is a resolved infrastructure or caching issue with Auth0.
[EDIT: Please see my latest post as this assumption was NOT correct]
It is something to do with their JS code failing to deserialize a state from a cache somewhere. It has nothing to do with any of our client code we could see, and nothing to do with any Hook or Rule set up to happen at time of login or signup.
Interestingly for me, a second duplicate attempt for /token with password grant type would always work, and return valid tokens instead of this state error. This is what makes me think it is Auth0’s own caching somewhere, because a second request works.
Also, what works, is a call to /authenticate, which returns a login_ticket (not used by an API, but used in their login forms).
The issue with cannot retrieve 'state' from undefined was related to my Rules after all.
We had special rules which were querying the request for a state and during signup with the api, the states parent object was undefined, hence the exeption.
This exception in one rule caused all subsequent rules to fail.
When a call to Authenticate is made, it had a state in it, but it also bumped the login count up to 2 (which meant that some of our other rules escaped early).
So in essence, triple check your rules! (facepalm)