Tenant log `details.qs.state` field doesn't match with the `state` sent in /authorize request

lihua.zhang · August 23, 2023, 10:20pm

Problem statement

We want to know why the “state” attribute in a Failed Login event log is not the same as the one sent to the authorization routine.

There are two types of state parameter/attribute used in the Auth0 login flow.

Authorization Code Flow
RFC 6749 - The OAuth 2.0 Authorization Framework
This state is generated by the application and sent to the /authorize endpoint of Auth0. When Auth0 redirects the user back to the application’s callback URL, the state value must be an exact match to the one sent by the application.
This is the state value sent in the authorization endpoint by the application.

The state used by Auth0 during the login/signup flow
A login/signup flow involves multiple API calls to Auth0 for maintaining the state of the user in the login/signup flow (e.g. authenticated, executing rules, MFA, etc.). The state parameter is used and present in almost every Auth0 API call.
For example, in the request to GET /authorize/resume endpoint, there is a state parameter:

The state parameter value here is the state field recorded in the tenant log as details.qs.state.

Topic		Replies	Views
State provided to /authorize different then state in /login Help classic-universal-login-experience , login-experience	1	963	April 26, 2023
How to read auth0 state parameter Help	12	17390	September 12, 2024
State parameter changing Help state	2	4182	August 26, 2019
Reading state value in rules with hosted login Help rules , hosted-login-page , state	3	6614	September 3, 2019
State parameter and user redirection Help session , redirect , state	4	18921	March 2, 2018