1. Issue Summary
I am integrating Auth0 with my application and using the OAuth2 Authorization Code Flow.
However, after the user logs in and is redirected back to my application, the state
parameter is missing from the redirect URL.
2. Environment Information
- Auth0 Tenant Name: (e.g.,
dev-co3n6kchcdppbwi3
) - Application Name: (e.g.,
kinelp
) - Client ID: (
cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4
) - Grant Type:
Authorization Code Flow
- Redirect URI:
https://kinelp.com/api/1.1/oauth_redirect
3. Issue Details
When initiating authentication, I send the following authorization request:
‘https’://dev-co3n6kchcdppbwi3.jp.auth0.com/authorize
?response_type=code
&client_id=cFn9R2yusqekB5dsWY6DhRCwfXQm5TF4
&redirect_uri=https%3A%2F%2Fkinelp…com%2Fapi%2F1.1%2Foauth_redirect
&scope=openid%20profile%20email
After logging in successfully, the user is redirected to my callback URL:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do
The expected behavior is that the state
parameter should also be included in the redirect URL, like this:
‘https’://kinelp.com/api/1.1/oauth_redirect?code=uHva-kujXP3NWV_wpoA-4__7sJ4nMSobdhxUaK4SJJ9do&state=XXXXXXXXXXXXX
However, the state
parameter is missing.
4. Troubleshooting Attempts
- OIDC Conformant Mode: Enabled
- State Parameter: I have checked the OAuth settings, but there is no explicit option to require the
state
parameter. - Nonce: I tried adding
nonce
to the authorization request, butstate
is still not included in the redirect. - Allowed Callback URLs:
https://kinelp.com/api/1.1/oauth_redirect
is correctly set in the Auth0 application settings. - Checked Other Configurations: I reviewed the advanced settings under OAuth, but couldn’t find any misconfigurations.
5. Questions
- Why is the
state
parameter missing from the redirect URL even though Auth0 generates it automatically? - Is there a specific setting to ensure that
state
is always included in the redirect? - Are there any additional configurations required to enforce
state
validation in this setup?
Thank you for your support.
Best regards,