An InvalidState exception is thrown from the PHP SDK during exchange() when the state parameter returned by Auth0 doesn’t match the temporary cookie stored on the client when login() is fired before the redirect. This means there is either an issue with the cookie getting stored properly on the client before getting redirected, being retrieved from the client during callback, or an issue with pulling the state response from the callback request.
- Check your Auth0 logs for anything out of the ordinary with the request
- Ensure you have both
codeandstateparameters the URI of your application’s callback; if there is an error parameter something is going wrong with the request, and should be in your Auth0 logs - Use your browser dev tools to ensure the transient cookie is being set properly before the redirect
- Unrelated, but we have an
Auth0::signup()helper method for issuing the ?screen_hint requests, so you don’t have to craft it yourself