Auth0 Home Blog Docs

"Invalid state" error during Auth0 WordPress redirect

wordpress
redirect
state

#1

Hi,

I have been trying to setup the auth0 plugin on a Wordpress site and am experiencing issues after the login.

After using the login form I am successfully authenticated and the redirect begins. However during the redirect I get a 500 internal server error and receive the following response.

I have not been able to find any mention of someone else receiving similar errors and have a feeling it could be related to a plugin issue. Not sure if anyone can think of a reason that the auth0 plugin would be behaving this way (a setting? etc.) or if it is most likely an error with a plugin conflict?


#2

Hi @mmorry … apologies for the trouble here, I’m happy to help figure out what’s going on.

You mentioned the 500 error but are you seeing an error message in your browser? When something goes wrong during the callback (AKA: right after redirection to your site) you should see a message of some kind telling you what the problem is.

There were a number of changes to how errors were handled during the callback, as well as an additional security check added that might be causing the problem. We added state verification in version 3.6.0 and have had one other report of it failing during callback with the message “Invalid state.” The issue there was the callback URL being cached on the host. The fix was to stop caching the site URL (/index.php on a regular install) if it has an auth0 URL parameter on there.

If that’s not the error message, let me know what error message you’re seeing along with:

  • PHP version used
  • plugin version used
  • any error messages in the JS console on the login page

Thanks!


#3

Hi Josh,

I am only seeing a blank page in the browser after I login, and when I open the dev tools I can see a 500 error during a network process (index.php?auth0=1…etc.). If I reload the page I see a invalid state message on the screen, I wasn’t sure if that error was because of me refreshing the page though.

PHP version: 5.5.9
Auth0 Plugin version: 3.6.1

No other errors are recorded.


#4

@mmorry - OK that still tells us something. It sounds like there is an error that we’re not catching. Your PHP version is fine so no problems there.

Can you check your Auth0 plugin error log as well as your PHP error log and let me know if something is showing up there around the time when you’re logging in? Also, if you can test with WP_DEBUG on (dev/test install), that would be helpful as well. That should show what’s failing.


#5

Okay so there are no errors showing up in the auth0 error log when I login. In the auth0 dashboard I can see that the user is logging in as well.

I turned on debug and it came back with an error saying Callback URL mismatch. After checking in the applications page I noticed that the mismatch was coming from the www being missing from the Allowed Callback URLs. I added these into the application settings and now when I login it goes straight to the page below instead of hanging on a blank page.

After this since I was still getting an error I tried with debug on again and received the following error which I am currently trying to work through:

Fatal error: Uncaught exception ‘BeforeValidException’ with message ‘Cannot handle token prior to (iat) 2018-06-25T22:54:05+0000’ in /var/www/site-name.com/wp-content/plugins/auth0/lib/php-jwt/Authentication/JWT.php:93 Stack trace: #0 /var/www/site-name.com/wp-content/plugins/auth0/lib/WP_Auth0_LoginManager.php(235): JWT::decode(‘eyJ0eXAiOiJKV1Q…’, Array, Array) #1 /var/www/site-name.com/wp-content/plugins/auth0/lib/WP_Auth0_LoginManager.php(157): WP_Auth0_LoginManager->redirect_login() #2 [internal function]: WP_Auth0_LoginManager->init_auth0(’’) #3 /var/www/site-name.com/wp-includes/class-wp-hook.php(286): call_user_func_array(Array, Array) #4 /var/www/site-name.com/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(’’, Array) #5 /var/www/site-name.com/wp-includes/plugin.php(453): WP_Hook->do_action(Array) #6 /var/www/site-name.com/wp-includes/template-loader.php(12): do_action(‘template_redire…’) #7 /var/www/site-name.com/wp-blog-header.php(19): require_once(’/var/www/simble…’) #8 /var/www in /var/www/site-name.com/wp-content/plugins/auth0/lib/php-jwt/Authentication/JWT.php on line 93


#6

After looking at the previous error, it looks like it probably could have something to do with the auth0_state cookie value being deleted somewhere along the way and having the expiry set to an old date (see original photos) which is then throwing the error 'Cannot handle token prior to …"


#7

Okay so there are no errors showing up in the auth0 error log when I login.

Is that the Auth0 dashboard error log or the one in wp-admin > Auth0 > Error Log? This is definitely a callback issue on the WP site. If you end up on that URL then the Auth0 authentication passed.

I turned on debug and it came back with an error saying Callback URL mismatch

Was it in a nice WP error display (like the screenshot here) or just unformatted black text on white? Do you see that error message in the URL?

now when I login it goes straight to the page below instead of hanging on a blank page.

That shows after the redirect now? That’s a security feature added in 3.6.0 and relies on having a cookie set on login and validated on the callback. Can your hosting setup and see if that callback URL is cached?

Fatal error: Uncaught exception ‘BeforeValidException’ with message ‘Cannot handle token prior to (iat) 2018-06-25T22:54:05+0000’

That usually happens if your server’s time is not set properly. It’s saying that the token you got was generated before the current time, which could only happen if one of the two times are off (it’s not Auth0’s or our service wouldn’t work :slight_smile: ). Check what echo current_time( 'c' ) outputs on your server.

That said, we definitely need some error handling there and I’ll make to add that in the upcoming patch release.


#8

I was looking at the error log in the wp-admin > Auth0 > Error Log.

It was just unformatted black text on white. I don’t see anything reflected in the url.

Yes it is showing up now after I login. However it does not seem to be completely consistent, this could just be due to me testing this while debugging though.

Sorry but I am not quite sure what you mean by this?

The time format I am outputting is: 2018-06-26T00:41:22+00:00.

I have continued debugging and have been unable to get the ‘BeforeValidException’ to show up again. Instead I am just seeing the formatted screen with:

‘There was a problem with your login: Invalid State [error code: unknown]’


#9

Just updating in regards to the ‘BeforeValidException’.

I have been debugging and the redirect_login() always fails when decoding the id_token (JWT::decode()) with the time exception. When I look at the timestamps that are being compared there is todays date and a date in July 1974 which is why it is failing at this point.

However I am not sure why the state is being returned with an invalid date. You mentioned that stopping caching the site URL when it has an auth0 parameter in it could potentially be fix. Could you advise/point me in a direction about how to go about this in Wordpress? Sorry, I am quite new to Wordpress and am just getting familiar with how it works.


#10

The ID token error is unrelated to state. I’m not sure exactly why that was happening but we’re adding better error handling so, at the very least, you get a better failure message. Login will still fail in that condition but it will give a more helpful message. Tracking that here:

For the invalid state problem, I put together some detailed debugging steps here:

As mentioned at the bottom, if those do not resolve the issue, please post back here a complete HAR file I can take a look at.

Thanks for your patience while we get this figured out together!


#11

Hi @josh.cunningham,

I have gone through the troubleshooting article you put together.

All the steps came out successful and I continued to debug the plugin and it turns out the time on our WordPress is running 5 minutes behind the current time which was causing the ‘BeforeValidException’. I modified the plugin to add an offset temporarily but will have to look into fixing the current time as well.

Thank you so much for your help!


#12

Happy to help @mmorry!


#13

I use wpengine to host my site and they do not allow caching of the main page to be turned off. Does anyone else host using wpengine that found a solution to this? Thanks for the detailed article.


#14

Ok I just talked to WPEngine and there is no setting to disable the caching of the auth0_state cookie, but if you reach out to their support team, they will disable caching for it manually and it all works!


#15

Thanks for the input, @johnb! We’ve worked with WP-Engine with customers before and have been able to resolve any caching issues directly with them. If you can get them to exclude the callback URL from caching, then you should be fine!


#16

Hi, Josh.

Same issue here. My wordpress site just started blocking out validated users and now I the only error message I get is “There was a problem with your log in: Invalid state [error code: unknown]” I’ve followed all of the steps and I’m working with my hosting company exclude the cookie from being cached, but my issue is that it works on my staging server and not my production server. My staging server has no issues, but the production server just stopped working altogether when it was working fine up until yesterday… need some help please. Thanks.


#17

but my issue is that it works on my staging server and not my production server. My staging server has no issues, but the production server just stopped working altogether when it was working fine up until yesterday… need some help please.

This is most definitely caching. WP-Engine and other hosts turn caching off or down so troubleshooting issues (not related to caching) is easier. Have them turn of caching completely for the callback URLs in your Application settings.


#18

I’m getting this error as well, but not with Wordpress. Users get a 500 error on my redirected PHP page sporadically, I cannot seem to reproduce the error myself. When this happens, my nginx error log shows a similar entry as above:

PHP message: PHP Fatal error: Uncaught Auth0\SDK\Exception\CoreException: Invalid state in /var/www/blah.com/vendor/auth0/auth0-php/src/Auth0.php:444

Looking through your tutorial on troubleshooting, I made the following changes to my setup:

  1. Added a version of my redirect page sans www.
  2. Added no cache headers to my redirect page.

I’ve not seen the error in my logs since making these two changes. Since this bug is intermittent I cannot reliably verify it’s been resolved for me. Going to keep an eye on the logs. @josh.cunningham Should I start a new thread since my situation doesn’t involve WP?


Invalid state (error 500) after PHP/SDK redirect
#19

@Ben_Smith - Yes, that would be great. That’s with the PHP SDK so add a new thread here if you need guidance on that (tagged php) or an Issue on GitHub if you find the specific problem