Invalid state after login

helloIAmPau · October 23, 2020, 8:40am

Hello all. I’m trying to implement the authentication flow for my spa but I always receive an “invalid state” error on my callback page.

My application lives at “https://app.local.io” and my callback service lives at “https://auth.local.io”.

here is how I configured my spa application:

this is the authentication part of my app

    const getAuth = function() {
      if(_auth !== null) {
        return Promise.resolve(_auth);
      }

      return createAuth0Client({
        audience: config.audience,
        domain: config.domain,
        client_id: config.client_id
      }).then(function(auth) {
        _auth = auth;

        return auth;
      })
    };

      return getAuth().then(function(auth) {
        return Promise.all([ auth.isAuthenticated(), auth ]);
      }).then(function([ isAuthenticated, auth ]) {
        if(isAuthenticated === true) {
          return;
        }

        return auth.loginWithRedirect({
          redirect_uri: config.redirect_uri
        });
      });

and this is the relevant part of my callback page:

    createAuth0Client({
        audience: config.audience,
        domain: config.domain,
        client_id: config.client_id
      }).then(function(auth0) {
        return auth0.handleRedirectCallback();
      }).then(function() {
        var destination = window.location.origin.replace('auth', 'app');
        window.location.repalce(destination);
      });

it looks like it doesn’t set the auth0_state cookie.

Is there something I’m missing in the configuration?

Thanks

jmangelo · October 28, 2020, 5:07pm

To my knowledge the SDK will set a cookie specific to the full domain where the SDK is being used, however, you’re using one domain to start the login and a different one to process the callback so it’s likely that the cookie is being set, but on app.local.io and as such unavailable once the response is returned to auth.local.io.

Can you expand on the use case for starting the login in one domain, but handling it in another one? Given they share a parent domain you can likely workaround this with custom logic, but that would seem unnecessary overhead.

Topic		Replies	Views
Invalid State after copying and pasting example code 2 Help classic-universal-login-experience , login-experience	0	531	October 4, 2023
Invalid state error after using Oauth with Auth0 React SPA Help oauth , spa , react , state	4	6304	December 17, 2020
Invalid state error when using /authorize endpoint directly in conjunction with the Auth0 SPA SDK Help login-experience , new-universal-login-experience	4	5165	May 26, 2023
Getting random "Invalid State" error for some visitors on callback redirection Help	0	1175	October 5, 2022
handleRedirectCallback failing with "Invalid State" error & empty response Help	1	2214	October 10, 2022

Invalid state after login

Related Topics