Invalid state [error code: unknown]

I am wanting to use the wordpress plugin to authenticate my users on www.jasonhumphrey.com . Occasionally when I log in (generally when I clear all cookies and log out ) it will return an invalid state. Here is the documentation on Auth0 that documents all troubleshoot steps that i have tried - Troubleshoot WordPress Plugin Invalid State Errors

  • update plugin to the latest version
  • to change the active theme
  • to disable all plugins but Login by Auth0 to check plugin compatibility
  • to checked error log is empty and console for Login by Auth0 plugin
  • to change PHP version to check PHP compatibility issue
  • to disable CDN
  • to disable cache in wp-config.php
  • to define an admin cookie path in wp-confing.php

but didn’t fix a login issue " Invalid state [error code: unknown]" plugin.

Would someone be able to help me out here

Hey there @Jason.Humphrey, welcome to Auth0’s Community!

I would be happy to take a look at this with you. When you get a chance can you please snag us a HAR file of the broken workflow and please be sure to select “Preserve log” to catch redirects and scrub the file of user passwords before sending it in a direct message along with your tenant name. Thanks!

I wanted to follow up @Jason.Humphrey and after further investigation I found similar state invalid issues where the WP application’s hosting provider had server-side caching enabled and as a result the Auth0 callback URL was cached, resulting in failed state validation in some cases.

Furthermore i will review the HAR file you sent over and see what I can find there. Thanks!

I’m using go daddy’s premium wordpress hosting services & I have already put a ticket in on there side and they said they have followed everything in the invalid state doc. They were unable to get it to work.

What is my next step then ? Am I just SOL ?

I’m still investigating the situation and will share with what more I find after working with our team :+1:

Just wanted to check in and see if there are any updates ?

I am waiting on feedback from our team regarding this @Jason.Humphrey, I will relay what is found as soon as I hear anything. Thank you for you patience.

Hey @Jason.Humphrey, sorry for the trouble here. I took a look at the troubleshooting output you sent to Jim. It looks like the $_REQUEST global is missing both state and code there. Those are URL params that I see in the HAR but are not being added to $_REQUEST (PHP’s combined global for POST fields and GET params).

If you change the code from step 12 in the troubleshooting guide to:

echo '<h1>$_REQUEST</h1>'; 
var_dump($_REQUEST); 
echo '<h1>$_GET</h1>'; 
var_dump($_GET); 
echo '<h1>$_COOKIE</h1>'; 
var_dump($_COOKIE); 
die('<h1>Done</h1>');

If $_GET and $_REQUEST are different, something is messing with the globals for your install (the server or another plugin). If something IS doing that, I can add a fallback in the plugin on the next release (out in about a week or so). I can put together a patch in the meantime if we figure out that this is the issue.

Just for reference, here’s what the above output looks like in my test environment:

You can see the state and code parameters in there.

1 Like

$_REQUEST

array(3) { [“auth0”]=> string(1) “1” [“code”]=> string(16) “mSvPGSD27bEdKm3E” [“state”]=> string(220) “eyJpbnRlcmltIjpmYWxzZSwibm9uY2UiOiJmYzdlZDk2ZTU0YmZiMDNlMGM0YzY0ZDZlMDk3Njg1MDU5ZmEzNjhmNzFmZWY4NDZkZmU0ZTFjYzYzYzAyNTQ1IiwicmVkaXJlY3RfdG8iOiJodHRwczpcL1wvamFzb25odW1waHJleS5jb21cL3Byb2R1Y3RcL2dyb3VwLWNvYWNoaW5nXC8if” }

$_GET

array(3) { [“auth0”]=> string(1) “1” [“code”]=> string(16) “mSvPGSD27bEdKm3E” [“state”]=> string(220) “eyJpbnRlcmltIjpmYWxzZSwibm9uY2UiOiJmYzdlZDk2ZTU0YmZiMDNlMGM0YzY0ZDZlMDk3Njg1MDU5ZmEzNjhmNzFmZWY4NDZkZmU0ZTFjYzYzYzAyNTQ1IiwicmVkaXJlY3RfdG8iOiJodHRwczpcL1wvamFzb25odW1waHJleS5jb21cL3Byb2R1Y3RcL2dyb3VwLWNvYWNoaW5nXC8if” }

$_COOKIE

array(0) { }

Done


Whats really odd is on my ipad it came back working like your test environment but on my computer in incognito mode it came back what you see above

  • Answered via private message.
1 Like

So, for this all to work, the $_REQUEST global need to be populated (normal, default Apache/PHP behavior) with what’s in the URL. We’re not doing anything out of the ordinary with the processing here, just grabbing what comes back in the URL. I’m not seeing any other redirects in the HAR file you submitted so I’m at a loss here.

The next things to check:

  • If you’re able to spin up a blank site with the plugin and the same configuration but a default theme and no other plugins, that would be a good thing to check.
  • If GoDaddy can review what we’re doing to see if there are any incompatibilities, we set a cookie and redirect here:

https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_LoginManager.php#L142

… and the do the verification here:

https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_LoginManager.php#L182

Both of the methods referenced there are in this class:

https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_Nonce_Handler.php

Again, nothing out of the ordinary going on here. If you want to connect me you GoDaddy support to try and hash this out, I’ll PM you my email address. We want the plugin to work in as many environments as possible so if there’s a change we can make, I’m happy to do it but nothing is popping out at me as something we’re able to change on our end.

1 Like

I spun up a test site on godaddy and the same thing happens on a blank site

It sounds like GoDaddy is handling these PHP globals in a non-standard way. If you still have a support thread going with them, can you add my email address there and point them to this thread? josh dot cunningham at auth0 dot com. We’d like to support as many of the big hosting providers as possible and if we need to augment the way we’re saving and retrieving this data, as long as it’s not a major change, we’re happy to do that.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.