Auth0 Home Blog Docs

Lock v11 auth.params.state is not a valid Base64 value



In the new v11 of the Auth0 Lock control, the documentation now states:

The state parameter is an arbitrary state value that will be mantained across redirects. It is useful to mitigate XSRF attacks and for any contextual information, such as a return url, that you might need after the authentication process is finished. If a custom state parameter is not provided, Lock will automatically generate one.
The bolded sentence is new for V11, but this causes issues with our code. Currently, if we need a redirect URL once a user is authenticated, we URLEncode the URL, then Base64 encode it (per the docs). Upon the authentication callback, we check for the ‘state’ query parameter and if it exists, base64 decode the value to get the URL. In Lock V10, if we did not add a state parameter, there is not a state parameter returned, and all is fine. In V11, if we do not include a redirect URL in the state parameter (essentially no state), Auth0, per the docs above generates one. However the value of the state parameter is NOT a valid Base64 encoded string, which causes an exception when we try to decode the string. (for example: code=u2pieSEWOI9XHSLz&state=syZ6wQa9eG-jrtv5TRQgBrsetJU666NU Note that the state parameter is INVALID Base64)

What do we need to do to correct this, sort of attempting to decode, and if it fails, ignore it (hacky workaround)




I understand the issue, not sure if we can help much.

Adding a state parameter is the right thing to do security wise, and the spec does not specify that it needs to be base64-encoded.

We suggest here that if you want to keep some values during the login flow you can use the state variable and base64-encode the values, and that still works.

Even if we did base64-encoded our state parameter, you will still need to find a way to know it’s “our” state parameter, which you’d need to ignore, or yours, which you’ll need to process, so you will still need to hack something.

I think the best option would be for you to provide a state parameter in all cases.