Auth0 Home Blog Docs

Passing 'appState' option to webAuth.authorize results in error

#1

According to the SPA quickstarts it should be possible to pass an arbitrary appState parameter to authorize such that it is preserved during redirects.

Example:

webAuth.authorize({
  appState: { target: to.path },
});

It works, however, an error is printed on the JS console:

Following parameters are not allowed on the /authorize endpoint: [app_state]

Is the documentation wrong or is there a bug in the JS library?

#2

I have sent a note to our docs team to look into this.

appState is a local state and may work for what you need, but there are a couple of issues with this:

  1. appState is not a documented part of the SDK and until it is I would caution against using it in case it gets deprecated or changed
  2. It throws the error in the console. It seems like just a warning, so perhaps not a huge deal, but it is still something to consider.

Another option is to use the state parameter instead.

NOTE: if you do switch to using state, it is also a good idea to add a nonce to the object you are sending, so you are closing the look on possible CSRF attacks. See our Redirecting users with state docs for more informationl.

#3

Thank you. I’ll look at using the state property instead. I just found it strange that all the examples were referring to the appState property while I couldn’t find it anywhere in the documentation/API reference.

#4

Yes, after more digging that appState has special behavior. I have asked the team to document it as a feature in the SDK or remove it from our samples.