Auth0 Home Blog Docs

State not received anymore on "implicit grant"


Please fill out the following to the best of your ability. Doing so will help out the troubleshooting process

  • What are you trying to achieve? What is the use case or idea behind it?
    Make our service work again, without changing anything

  • If this is caused by an SDK please mention the SDK along with the specific version number.

  • Is this easily reproducible? If not, please explain.

4 days ago, when we sent the login_url "“” with:

  1. redirect_uri
  2. approval_prompt
  3. scope
  4. client
  5. response_type
  6. state

When you send us to our callback, we received the state, but not anymore (all our services stopped working at once, without touching anything on our side, so we guess that you changed something 4 days ago. ie 9 march)

We had to change our code to not check that anymore (Which is potentially a security issue)

  • If this is related to Lock / any SDK please share the SDK as well as lock initialization code or any code that is relevant.

  • If this is an issue with an API please mention the endpoint you are trying to hit. Relevant code, and or a network trace, is really helpful when debugging such issues.

  • Environment-specific information (Which OS, Language Runtime + Version, Browser etc).


I’m also having something very similar to your problem. I was able to login using my apps, then a few days ago (March 16) authentication worked but I started receiving an error {error: "invalid_token", errorDescription: "statedoes not match."}. Tracing through the app, indeed state was not being passed through.

I too can change code that will bypass this but obviously this is not a good solution.


@michael.bitard you mention that you performed a request to /login, but that is not correct. The expected endpoint to start an OIDC/OAuth 2.0 authentication/authorization request would be /authorize. If you’re calling /login directly you need to change this.

@cody.mcmichael if you’re also starting the transaction at /login and this is the reason you don’t have a valid state then you should also update your logic to not call that endpoint directly. If this is not the reason then you’ll need to provide additional information about how the request is started.