Problem statement
We want to know why the “state” attribute in a Failed Login event log is not the same as the one sent to the authorization routine.
Solution
There are two types of state
parameter/attribute used in the Auth0 login flow.
- The
state
used in OAuth2 authorization flow
- Authorization Code Flow
- RFC 6749 - The OAuth 2.0 Authorization Framework
Thisstate
is generated by the application and sent to the/authorize
endpoint of Auth0. When Auth0 redirects the user back to the application’s callback URL, thestate
value must be an exact match to the one sent by the application.
This is thestate
value sent in the authorization endpoint by the application.
- The
state
used by Auth0 during the login/signup flow
A login/signup flow involves multiple API calls to Auth0 for maintaining the state of the user in the login/signup flow (e.g. authenticated, executing rules, MFA, etc.). Thestate
parameter is used and present in almost every Auth0 API call.
For example, in the request toGET /authorize/resume
endpoint, there is astate
parameter:
https://TENANT_NAME.auth0.com/authorize/resume?state=lWdp_kWJIq5VWG8K8n7jM2rlt7jI0bY8
The state
parameter value here is the state
field recorded in the tenant log as details.qs.state
.