State parameter missing from callback

When logging into our site, our users sometimes hit our callback page from Auth0 and don’t get redirected onwards. On closer inspection of why this could be happening, the code looks as follows:

if (
        window.location.pathname == callbackPath &&
        window.location.search.includes('code=') &&
        window.location.search.includes('state=')
   ) {
     // Call handleRedirectCallback() and forward user to desired page
}
else if (window.location.search.includes('error=')) {
    // Forward user to error page
}

This code generally works well and does not have an else case present.

However, sometimes Auth0 redirects the user back to https://oursite.com/callback?code=JXLEAMf9pBVzWq2L

Notice that the state parameter is missing. We have no idea why this could be happening or if this is a legitimate case that we should be handling.

Any insights would be appreciated.

Further background and setup information below:

  • We use Authorization code with PKCE flow
  • We use Auth0 SPA JS library and calls to login are done using loginWithRedirect ()
  • The login is actually successful and can be confirmed in the Auth0 logs
  • We use a custom domain
  • We have confirmed at least 1 case where this happened with a user using Google social login

Just to close the loop here, this is definitely not an Auth0 bug.

This was caused by our WAF code not URL encoding and inadvertently cutting off the state parameter from the URL in one of the redirects. The details aren’t really that interesting other than just knowing that the state parameter was coming back from Auth0 correctly.