We want to know why the “state” attribute in a Failed Login event log is not the same as the one sent to the authorization routine.
There are two types of
state parameter/attribute used in the Auth0 login flow.
stateused in OAuth2 authorization flow
- Authorization Code Flow
- RFC 6749 - The OAuth 2.0 Authorization Framework
stateis generated by the application and sent to the
/authorizeendpoint of Auth0. When Auth0 redirects the user back to the application’s callback URL, the
statevalue must be an exact match to the one sent by the application.
This is the
statevalue sent in the authorization endpoint by the application.
stateused by Auth0 during the login/signup flow
A login/signup flow involves multiple API calls to Auth0 for maintaining the state of the user in the login/signup flow (e.g. authenticated, executing rules, MFA, etc.). The
stateparameter is used and present in almost every Auth0 API call.
For example, in the request to
GET /authorize/resumeendpoint, there is a
state parameter value here is the
state field recorded in the tenant log as