OAuth2: State Parameter is Missing in Redirect URL After Login

1. Issue Summary

I am integrating Auth0 with my application and using the OAuth2 Authorization Code Flow.
However, after the user logs in and is redirected back to my application, the state parameter is missing from the redirect URL.

2. Environment Information

  • Auth0 Tenant Name: (e.g., dev-co3n6kchcdppbwi3)
  • Application Name: (e.g., kinelp)
  • Client ID: (cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4)
  • Grant Type: Authorization Code Flow
  • Redirect URI: https://kinelp.com/api/1.1/oauth_redirect

3. Issue Details

When initiating authentication, I send the following authorization request:
‘https’://dev-co3n6kchcdppbwi3.jp.auth0.com/authorize
?response_type=code
&client_id=cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4
&redirect_uri=https%3A%2F%2Fkinelp…com%2Fapi%2F1.1%2Foauth_redirect
&scope=openid%20profile%20email

After logging in successfully, the user is redirected to my callback URL:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do

The expected behavior is that the state parameter should also be included in the redirect URL, like this:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do&state=XXXXXXXXXXXXX

However, the state parameter is missing.

4. Troubleshooting Attempts

  • OIDC Conformant Mode: Enabled
  • State Parameter: I have checked the OAuth settings, but there is no explicit option to require the state parameter.
  • Nonce: I tried adding nonce to the authorization request, but state is still not included in the redirect.
  • Allowed Callback URLs: https://kinelp.com/api/1.1/oauth_redirect is correctly set in the Auth0 application settings.
  • Checked Other Configurations: I reviewed the advanced settings under OAuth, but couldn’t find any misconfigurations.

5. Questions

  1. Why is the state parameter missing from the redirect URL even though Auth0 generates it automatically?
  2. Is there a specific setting to ensure that state is always included in the redirect?
  3. Are there any additional configurations required to enforce state validation in this setup?

Thank you for your support.

Best regards,

Hi @harumaki.ono,

Our documentation on Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters provides a brief example on how to set and compare the state parameter values in your /authorize request. So the state value has to be implicitly requested in order to get it as a response.

If you are using one of our SDK’s, the state might or might not be already integrated, so i would recommend again to check your /authorize call. You can try checking this out, and also let me know what SDK you are using.

I hope this helps your use case.
Thanks,
Remus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.