Overview
This article explains how much time it takes for the state parameter to expire.
Auth0 documentation states that after some time, the state is no longer valid.
Documentation notes per Users bookmark login page:
“When an application initiates the login process, it navigates to https://Tenant Name/authorize with a set of required parameters. Auth0 then redirects end-users to an https://tenant/login page, with a URL that looks like:
https://tenant/login?state=g6Fo2SBjNTRyanlVa3ZqeHN4d1htTnh&…
The state parameter points to a record in an internal database where we track the status of the authorization transaction. Whenever the transaction completes, or after a set time passes, the record is deleted from the internal database.”
Applies To
- State Parameter
- Expiration
Solution
The state parameter is invalidated after one hour per:
How to Test changes to Maximum Expiration Time for Login Transactions Deprecation
It could be less than this if the inactivity timeout or required log-in after setting is less configured in the Log In Session Management setting.
