Auth0 Home Blog Docs

State is being altered on Auth0 (Proven at Rule)



This one is in the weeds so probably need a auth0 guru to respond.


  • I am using auth0.js and lock to authenticate.
  • Passing in a state
  • Using Rules

All is working well except one scenario. I am passing in the state and on callback it comes back correctly. However in my situation I pass the state back to my API in a RULE.

Here is the kicker - the state is what I expect to receive in all situations EXCEPT when the user uses Username-Password and is not remembered.

So if I login using any social provider - WORKS
If I login as username and password - first time it FAILS (state is no longer the value I sent in)
If I relogin and it remembers my username and password - WORKS

The state I am sending in is a GUID for example: 99999999-9999-9999-9999-999999999999
What I see when it is failing is a 32 character string - and it is different on each call, example: LypO4is6v8fKG3CgLqU0sVFmAJoQr6Y6

PS You may come back and tell me I should not be relying on state at the RULE level. If this is the answer what is the best way to send in a GUID that will be passed through to the RULE.


I mispoke – I am not using lock but just auth0.js