Auth0 Home Blog Docs

State token change between /authorize and /login

lock
cordova
auth0
passwordless
js

#1

Hi,

I try to use Passwordless with Lock and Cordova. But I have a bug with auth0-state :
I log the requests on /authorize and /login and I see the “state” parameter change when the request redirect from /authorize to /login.

This is the request (redact) :

https://XXXXXXXXXX.eu.auth0.com/authorize?client_id=XXXXXXXXXX&scope=openid%20profile&audience=https%3A%2F%2FXXXXXXXXXX.eu.auth0.com%2Fuserinfo&state=cTaOjEd5oU18Nhikmf0SnfQQAT6P3Vxvz3fZAfQe3vw&code_challenge_method=S256&response_type=code&redirect_uri=com.XXXXXXXXXX.mobileapp%3A%2F%2FXXXXXXXXXX.eu.auth0.com%2Fcordova%2Fcom.XXXXXXXXXX.mobileapp%2Fcallback&code_challenge=rDAuZtpGMby22GGgavGhNb-MG5ihBn2EvfVk7asLCtk&auth0Client=eyJ2ZXJzaW9uIjoiMC4zLjAiLCJuYW1lIjoiYXV0aDAtY29yZG92YSIsImxpYl92ZXJzaW9uIjoiOS42LjEifQ%3D%3D

You can see the state parameter : &state=cTaOjEd5oU18Nhikmf0SnfQQAT6P3Vxvz3fZAfQe3vw

This request is redirect to /login :

https://XXXXXXXXXX.eu.auth0.com/login?state=giaSpAzawCuttLNvjO0imJR5Tb3m-6YU&client=XXXXXXXXXX&protocol=oauth2&scope=openid%20profile&audience=https%3A%2F%2FXXXXXXXXXX.eu.auth0.com%2Fuserinfo&code_challenge_method=S256&response_type=code&redirect_uri=com.XXXXXXXXXX.mobileapp%3A%2F%2FXXXXXXXXXX.eu.auth0.com%2Fcordova%2Fcom.XXXXXXXXXX.mobileapp%2Fcallback&code_challenge=rDAuZtpGMby22GGgavGhNb-MG5ihBn2EvfVk7asLCtk&auth0Client=eyJ2ZXJzaW9uIjoiMC4zLjAiLCJuYW1lIjoiYXV0aDAtY29yZG92YSIsImxpYl92ZXJzaW9uIjoiOS42LjEifQ%3D%3D

You can the state parameter : state=giaSpAzawCuttLNvjO0imJR5Tb3m-6YU

The parameter changed.

And in auth0-cordova the request parameter (cTaOjEd5oU18Nhikmf0SnfQQAT6P3Vxvz3fZAfQe3vw) is compare to response parameter (iaSpAzawCuttLNvjO0imJR5Tb3m-6YU)

As you can see, it’s not the same. And an error occured : Response state does not match expected state’

Can you tell me why the state token change from /redirect to /login and how can I fix that?

Thank you.


#3

@mrpierrot were you able to solve your issue? if not, could you share the code you are using for authentication?


#4

@kim.noel I investigate a bite.
I used the magic link system with email.
If I use the code system (with email) I can see the /login state is not related to the /authorize state.
If I use the code system, my url callback use the /authorize state token and work fine.

But, I don’t use Auth0 anymore. And It’s solved my problem :smiley: …sorry…


#5