State parameter does not match for Android SDK login using custom Universal Login page that invokes Auth0.js

  • Which SDK this is regarding: Auth0 Android SDK, auth0-js
  • SDK Version: com.auth0.android:auth0:2.0, auth0-js v9.13.2
  • Platform Version: Android buildToolsVersion v30.0.3, Node v10.15.3
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

Our application uses Universal Login with a custom injected React app that instantiates a WebAuth instance using auth0-js and then invokes the WebAuth.login() method upon login form submission. We are currently supporting a web SPA client and are working on adding an Android app as an additional client.

Using the Android quickstart as a test mobile app, it is failing with a Received state doesn't match. error after the user signs in. The login app does load correctly, but the return back to the mobile app from the website with the auth payload is failing.

2021-10-07 16:49:01.925 27291-27291/com.auth0.androidsample D/OAuthManager: Using the following Authorize URI: https://simplyhired-develop.auth0.com/authorize?scope=openid%20profile%20email%20read%3Acurrent_user%20update%3Acurrent_user_metadata&audience=hrs-backend&response_type=code&code_challenge=f-6nbn_skP62oSWMqVqLdxDsOaVYZISuW6FcEF8o5y8&code_challenge_method=S256&auth0Client=eyJuYW1lIjoiQXV0aDAuQW5kcm9pZCIsImVudiI6eyJhbmRyb2lkIjoiMzAifSwidmVyc2lvbiI6IjIuNC4wIn0%3D&client_id=Tuoza6VlRotIeJMuHgkYbPgY1XiiFzHv&redirect_uri=demo%3A%2F%2Fsimplyhired-develop.auth0.com%2Fandroid%2Fcom.auth0.androidsample%2Fcallback&state=bDlATz9LdvwTAPGMtghoztFuwzPYQDnDWRhhQVv2uII&nonce=pnJA5XLayrWIAyMRzeeHsc9M5PqMwFYXtYu6ymKC8fQ
2021-10-07 16:49:02.497 27291-27291/com.auth0.androidsample D/CustomTabsController: CustomTabs Service connected
2021-10-07 16:49:02.556 27291-27331/com.auth0.androidsample D/CustomTabsController: Launching URI. Custom Tabs available: true
2021-10-07 16:49:31.904 27291-27291/com.auth0.androidsample D/OAuthManager: The parsed CallbackURI contains the following parameters: [code, state]
2021-10-07 16:49:31.905 27291-27291/com.auth0.androidsample E/OAuthManager: Received state doesn't match. Received hKFo2SBOSEFIV3hiU25HM0EzUnVLd3NadU8xb3VwdnBxNXBnTqFupWxvZ2luo3RpZNkgdzNSLVpndXRJX2hiQ2NsWmZpMEkyYmgzX1ZMbU5qcjSjY2lk2SBUdW96YTZWbFJvdEllSk11SGdrWWJQZ1kxWGlpRnpIdg but expected bDlATz9LdvwTAPGMtghoztFuwzPYQDnDWRhhQVv2uII
2021-10-07 16:49:31.956 27291-27291/com.auth0.androidsample D/***: error: com.auth0.android.authentication.AuthenticationException: An error occurred when trying to authenticate with the server.

From what I can tell, the Android Universal Login flow expects a valid return value of this state parameter as part of the OAuth 2.0 flow, but that parameter is not accessible within the context of our custom login page, and seems like it may be overridden by the state parameter on /login referenced on this page: Configure Default Login Routes.

Does anyone know how to resolve this so that we can login to both an Android client and a web SPA client using Universal Login with Auth0.js?

Is this a feature request or bug report? No

Hey there!

In order to handle that most effectively it will be best if you can raise a GitHub issue for that so we can have that addressed directly by the repo maintainers. Once you have a link to it you can share it with us here so we can ping them. Thank you!