Problem statement
We want to know why the “state” attribute in a Failed Login event log is not the same as the one sent to the authorization routine.
Solution
There are two types of state parameter/attribute used in the Auth0 login flow.
- The
stateused in OAuth2 authorization flow
- Authorization Code Flow
- RFC 6749 - The OAuth 2.0 Authorization Framework
Thisstateis generated by the application and sent to the/authorizeendpoint of Auth0. When Auth0 redirects the user back to the application’s callback URL, thestatevalue must be an exact match to the one sent by the application.
This is thestatevalue sent in the authorization endpoint by the application.
- The
stateused by Auth0 during the login/signup flow
A login/signup flow involves multiple API calls to Auth0 for maintaining the state of the user in the login/signup flow (e.g. authenticated, executing rules, MFA, etc.). Thestateparameter is used and present in almost every Auth0 API call.
For example, in the request toGET /authorize/resumeendpoint, there is astateparameter:
https://TENANT_NAME.auth0.com/authorize/resume?state=lWdp_kWJIq5VWG8K8n7jM2rlt7jI0bY8
The state parameter value here is the state field recorded in the tenant log as details.qs.state.