OAuth2: State Parameter is Missing in Redirect URL After Login

harumaki.ono · March 16, 2025, 1:14pm

1. Issue Summary

I am integrating Auth0 with my application and using the OAuth2 Authorization Code Flow.
However, after the user logs in and is redirected back to my application, the state parameter is missing from the redirect URL.

2. Environment Information

Auth0 Tenant Name: (e.g., dev-co3n6kchcdppbwi3)
Application Name: (e.g., kinelp)
Client ID: (cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4)
Grant Type: Authorization Code Flow
Redirect URI: https://kinelp.com/api/1.1/oauth_redirect

3. Issue Details

When initiating authentication, I send the following authorization request:
‘https’://dev-co3n6kchcdppbwi3.jp.auth0.com/authorize
?response_type=code
&client_id=cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4
&redirect_uri=https%3A%2F%2Fkinelp…com%2Fapi%2F1.1%2Foauth_redirect
&scope=openid%20profile%20email

After logging in successfully, the user is redirected to my callback URL:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do

The expected behavior is that the state parameter should also be included in the redirect URL, like this:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do&state=XXXXXXXXXXXXX

However, the state parameter is missing.

4. Troubleshooting Attempts

OIDC Conformant Mode: Enabled
State Parameter: I have checked the OAuth settings, but there is no explicit option to require the state parameter.
Nonce: I tried adding nonce to the authorization request, but state is still not included in the redirect.
Allowed Callback URLs: https://kinelp.com/api/1.1/oauth_redirect is correctly set in the Auth0 application settings.
Checked Other Configurations: I reviewed the advanced settings under OAuth, but couldn’t find any misconfigurations.

5. Questions

Why is the state parameter missing from the redirect URL even though Auth0 generates it automatically?
Is there a specific setting to ensure that state is always included in the redirect?
Are there any additional configurations required to enforce state validation in this setup?

Thank you for your support.

Best regards,

remus.ivan · March 18, 2025, 9:10pm

Hi @harumaki.ono,

Our documentation on Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters provides a brief example on how to set and compare the state parameter values in your /authorize request. So the state value has to be implicitly requested in order to get it as a response.

If you are using one of our SDK’s, the state might or might not be already integrated, so i would recommend again to check your /authorize call. You can try checking this out, and also let me know what SDK you are using.

I hope this helps your use case.
Thanks,
Remus

system · April 1, 2025, 9:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
State parameter missing from callback Get Help bug , pkce , callback	3	5536	July 10, 2021
State not received anymore on "implicit grant" Get Help	8	4006	March 22, 2018
State parameter and user redirection Get Help session , redirect , state	4	19825	March 2, 2018
state: return_url not behaving as expected Get Help state	2	3767	March 2, 2018
Invalid state error after using Oauth with Auth0 React SPA Get Help oauth , spa , react , state	4	6374	December 17, 2020