OAuth2: State Parameter is Missing in Redirect URL After Login

harumaki.ono · March 16, 2025, 1:14pm

1. Issue Summary

I am integrating Auth0 with my application and using the OAuth2 Authorization Code Flow.
However, after the user logs in and is redirected back to my application, the state parameter is missing from the redirect URL.

2. Environment Information

Auth0 Tenant Name: (e.g., dev-co3n6kchcdppbwi3)
Application Name: (e.g., kinelp)
Client ID: (cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4)
Grant Type: Authorization Code Flow
Redirect URI: https://kinelp.com/api/1.1/oauth_redirect

3. Issue Details

When initiating authentication, I send the following authorization request:
‘https’://dev-co3n6kchcdppbwi3.jp.auth0.com/authorize
?response_type=code
&client_id=cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4
&redirect_uri=https%3A%2F%2Fkinelp…com%2Fapi%2F1.1%2Foauth_redirect
&scope=openid%20profile%20email

After logging in successfully, the user is redirected to my callback URL:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do

The expected behavior is that the state parameter should also be included in the redirect URL, like this:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do&state=XXXXXXXXXXXXX

However, the state parameter is missing.

4. Troubleshooting Attempts

OIDC Conformant Mode: Enabled
State Parameter: I have checked the OAuth settings, but there is no explicit option to require the state parameter.
Nonce: I tried adding nonce to the authorization request, but state is still not included in the redirect.
Allowed Callback URLs: https://kinelp.com/api/1.1/oauth_redirect is correctly set in the Auth0 application settings.
Checked Other Configurations: I reviewed the advanced settings under OAuth, but couldn’t find any misconfigurations.

5. Questions

Why is the state parameter missing from the redirect URL even though Auth0 generates it automatically?
Is there a specific setting to ensure that state is always included in the redirect?
Are there any additional configurations required to enforce state validation in this setup?

Thank you for your support.

Best regards,

remus.ivan · March 18, 2025, 9:10pm

Hi @harumaki.ono,

Our documentation on Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters provides a brief example on how to set and compare the state parameter values in your /authorize request. So the state value has to be implicitly requested in order to get it as a response.

If you are using one of our SDK’s, the state might or might not be already integrated, so i would recommend again to check your /authorize call. You can try checking this out, and also let me know what SDK you are using.

I hope this helps your use case.
Thanks,
Remus

system · April 1, 2025, 9:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to handle state parameters to redirect Get Help login-experience , new-universal-login-experience	2	2219	October 18, 2023
State parameter not being injected into redirect url after accepting an invite Get Help auth0 , login	0	1832	March 15, 2022
Access State Param used in Redirect before redirecting Get Help login-experience , new-universal-login-experience	5	36	January 23, 2025
State Parameter Is Not Appended in Redirect User Action Get Help redirect , state , actions	5	3346	May 20, 2022
State parameter missing from callback Get Help bug , pkce , callback	3	5367	July 10, 2021