I’m using an api that leverages Auth0’s legacy Authentication API to log a user in like this: https://auth0.com/docs/api/authentication#resource-owner
The api call succeeds, and I pass the access token, ID token, and token type to my front end UI, then set them on window.location.hash so it looks like this:
https://{{mydomainhere}}/controller/action#access_token=valuehere&id_token=valuehere&token_type=Bearer
Then I call Auth0’s javascript library (v9.7.3) webAuth.parseHash(…) passing in the window.location.hash containing the hash in the URL above. It’s at this step that I get an error “invalid_token: ‘state’ does not match”.
Checking the logs in Auth0, I see “Success Exchange (Password for Access Token)” then “Failed Silent Auth (Login required)”. I am not using auth0.js to initiate authorization since I’ve done so via my api, so I’m not sure why auth0.js views this as a silent auth request.
This worked about a year ago, but now I’m revisiting this code and it’s failing. Is what I’m trying to do possible?