Invalid state error when using /authorize endpoint directly in conjunction with the Auth0 SPA SDK

Hi,

I’m making a request to the /authorize endpoint which is redirecting me to the login page where I enter my credentials and login. I am then redirected to redirect_uri provided with the state value I had initially set when making the /authorize endpoint request. However, an Invalid state error is thrown. The redirect_uri endpoint is using the Auth0 SPA SDK. It looks like the an item is set in sessionStorage but, the state value that is set in there does not match the state value I sent/received in the query parameters.

Is it possible to call the /authorize endpoint directly and have the Auth0 SPA SDK recognize the state I had initially set in the /authorize request?

Hi @mahmut.surekci,

Welcome to the Auth0 Community!

I understand you have experienced an Invalid State Error when calling the /authorize endpoint.

This error can happen when the state parameter gets lost during the authentication flow.

When the first request is made to Auth0’s /authorize endpoint, a state parameter is passed to Auth0. When Auth0 returns to the application’s /callback endpoint with a code, it will supply the same state value. If SDK in the app loses the state that was originally sent to the /authorize endpoint, then an Invalid state error is thrown.

Yes, AFAIK, this should be possible. To look into this issue further, could you please capture the login events in a HAR file and send them to me as a direct message?

Thank you,
Rueben

Hi Rueben,

I’ve sent you a message in private but, I’ve not received a response yet. I’d appreciate it if you could get back to me.

Thanks,
Mahmut

Hi @mahmut.surekci,

Thank you for your reply.

After resolving the issue with you via direct messages, I am sharing the solution here to help the rest of the Community.

Having investigated the HAR file carefully, I could not find any errors or issues with authentication. Both the /authorize request and the callback URL seem to be functioning without any problems.

The HAR file clearly shows that an initial request was made to the /authorize endpoint. Subsequently, the login transaction was successful and the user was redirected back to the callback URL, also without any issues.

Moreover, I have verified that the state parameter passed to the /authorize endpoint matches the one returned in the callback URL. Therefore, I can confirm that the state values are consistent.

In my research, I found that the allowed length for the state parameter value is not unlimited. Hence, using a three-character string for the state, as observed in your HAR file, should not cause any problems.

(Reference: Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters)

In this case, I recommend logging in using the loginWithRedirect() method. This should generate the state parameter on your behalf and guarantees that it does not lose context throughout the transaction.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.