Passing 'appState' option to webAuth.authorize results in error

According to the SPA quickstarts it should be possible to pass an arbitrary appState parameter to authorize such that it is preserved during redirects.

Example:

webAuth.authorize({
  appState: { target: to.path },
});

It works, however, an error is printed on the JS console:

Following parameters are not allowed on the /authorize endpoint: [app_state]

Is the documentation wrong or is there a bug in the JS library?

I have sent a note to our docs team to look into this.

appState is a local state and may work for what you need, but there are a couple of issues with this:

  1. appState is not a documented part of the SDK and until it is I would caution against using it in case it gets deprecated or changed
  2. It throws the error in the console. It seems like just a warning, so perhaps not a huge deal, but it is still something to consider.

Another option is to use the state parameter instead.

NOTE: if you do switch to using state, it is also a good idea to add a nonce to the object you are sending, so you are closing the look on possible CSRF attacks. See our Redirecting users with state docs for more informationl.

Thank you. I’ll look at using the state property instead. I just found it strange that all the examples were referring to the appState property while I couldn’t find it anywhere in the documentation/API reference.

2 Likes

Yes, after more digging that appState has special behavior. I have asked the team to document it as a feature in the SDK or remove it from our samples.