The state is not used nor validated by Auth0 (on the authorization server end) in any way but just passed through and back to the client application upon return, to help mitigate CSRF attacks.
Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.
The Auth0 server does not validate or require a state value and returns it untouched to the callback URL.
The cookie where the state is stored on the client-side might be expired
As mentioned above, the state isn’t validated by the authorization server / Auth0, so signup is ok at that point in time, but validated when back at the client, to mitigate CSRF attacks.
CSRF mitigation and state mentioned in the OAuth2 specs:
We are using auth0-js version 9.11.1 (auth0-js - npm). The code we upload is an single page react application, which get compiled inline to one html file.
Are you suggesting the cookie will only be created when we click on sign in/sign up button, and it’s life span ends once the auth flow finishes?
In my case, when I click sign up button, the Auth0 user got created (since Auth0 is not verify state). However, Auth0 failed to create the cookie from the url query “state”? So technically speaking the cookie is not yet created so it can’t be expired?