Invalid token - login via cypress


I have followed this guide trying to login to auth0 via cypress.
I did exacly as the guide says but unfortunately I get the following error on the auth0.parseHash function:
{error: "invalid_token", errorDescription: "Cannot read property 'state' of null"}

I saw the following post that claims that works around this issue, but I am using the new Universal Login and dont want to switch back to the classic version.

General information:
I disabled the chrome security and I am using a custom domain.

How can i solve this issue with the new universal login?

Thank you.

Hi @orayya

This is a quick summary of what I understood is being done by the cypress guide:

  • The test runner gives you the possibility of logging the user in by:
    • Exchange a test user credentials for a token result directly, using the Resource Owner Pasword Grant (this is a direct server call, no browser involved)
    • Inject that token response in the app’s callback URL. Since the authentication was not actually started by Auth0.js (this is simulated), there was no state originally generated. So it generates a fake one and stores it in a cookie, so that Auth0.js thinks everything is OK.

To troubleshoot this, I would put some debug statements or breakpoints in this code:

describe('login', () => {
  it('should successfully log into our app', () => {
      .then((resp) => {
        return resp.body;
      .then((body) => {
        const {access_token, expires_in, id_token} = body;
        const auth0State = {
          nonce: '',
          state: 'some-random-state'
        const callbackUrl = `/callback#access_token=${access_token}&scope=openid&id_token=${id_token}&expires_in=${expires_in}&token_type=Bearer&state=${auth0State.state}`;
        cy.visit(callbackUrl, {
          onBeforeLoad(win) {
            win.document.cookie = 'com.auth0.auth.some-random-state=' + JSON.stringify(auth0State);

It assumes the body will have the expected response, but the token request could fail for a few reasons. Among them:

  • The client ID/client secret are incorrect
  • The username/password are incorrect
  • The Resource Owner Password grant type is not enabled for the app.
  • A rule is denying authorization

Putting some additional error handling code in there might help you understand what’s going on.

One more thing: the guide tells you to create an app of type “Single Page”. This application type defaults to Token Endpoint Authentication set to None. But the code provides a client secret, so you should configure the Token Endpoint Authentication Method in the app that represents the test suite to Post.

Hope this helps.

1 Like