Hey @voronin
The state is a random string, generated by Auth0.js right before redirecting the user to the authorization endpoint (/authorize), included in that request, and stored locally (in a cookie, in the latest versions of Auth0.js). When Auth0 (the service) redirects the browser back to the app with the authorization response, it includes that state that Auth0.js compares with what was stored in the cookie (if it doesn’t match, you get the state does not match error).
IIRC the cookie where the state is stored has a duration of 30 minutes, so if the user stays on the login page (or other interactive parts of the authorization process) longer than that, this error could appear. A new version deploy shouldn’t cause this (unless you are changing domains!), but hopefully understanding how this works will help you with the troubleshooting.
3 Likes