Auth0 Home Blog Docs

Universal login: New user is created even the signup API throwing "invalid state" error in sign up page

We are using the universal login standalone solution, with custom UI.

Steps to replicate the issue:

  1. Go to the sign up page, start filling some fields and leave it for 20 or 30 minutes. Than come back to complete the remaining field and then submit.

  2. The “auth.webAuth.redirect.signupAndLogin” api is throwing “invalid state” error, since the state has expired.

51%20PM

Expect:

  • No user should be created within Auth0 users panel

Actual:

  • User has been created anyway

Question:

  1. What case the auth0 webAuth will throw “Invalid state”?
  2. Why do we need to throw this error if that’s not gonna stop creating a new user? I can just ignore this error and continue log user in?

The state is not used nor validated by Auth0 (on the authorization server end) in any way but just passed through and back to the client application upon return, to help mitigate CSRF attacks.

Authorization protocols provide a state parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response.

The Auth0 server does not validate or require a state value and returns it untouched to the callback URL.

  1. The cookie where the state is stored on the client-side might be expired
  2. As mentioned above, the state isn’t validated by the authorization server / Auth0, so signup is ok at that point in time, but validated when back at the client, to mitigate CSRF attacks.

CSRF mitigation and state mentioned in the OAuth2 specs:
https://tools.ietf.org/html/rfc6749#section-10.12

1 Like

Thanks for your detailed explanation. Just to confirm whether my understanding is correct:

Auth0 webAuth will create a cookie in browser to store the state which is related to the “state” url parameter.

29%20PM

I actually find the only cookie from Auth0 is the one named “auth0”:

24%20PM

Everything stops working after I delete it, it just redirect me to an error page like this:

55%20PM

However, I don’t think the cookie is expired since it’s life span is 3 days:

04%20PM

Could you explain a bit more on when and how did Auth0 generate state and set the cookie?

Thanks for your help.

Which Auth0 SDK (is it auth0.js or auth0-js-spa?) are you using on the client side? And what’s your technology stack?

We are using the universal login admin (https://manage.auth0.com/dashboard/us/project-name/login_page) to upload our frontend html/js code for login and reset password page.

We are using auth0-js version 9.11.1 (https://www.npmjs.com/package/auth0-js). The code we upload is an single page react application, which get compiled inline to one html file.

Auth0 webAuth will create a cookie in browser to store the state which is related to the “state” url parameter.

Correct.

The cookie looks like this and is only valid for 30 minutes.

You can check it by

  • clicking the Login button in your app, then
  • open localhost:3000 another browser tab and check the cookies -> the cookie should be there

(The cookie is automatically deleted again after successful redirection of the OAuth flow to the client app.)

Cool, it starts making more sense now.

Are you suggesting the cookie will only be created when we click on sign in/sign up button, and it’s life span ends once the auth flow finishes?

In my case, when I click sign up button, the Auth0 user got created (since Auth0 is not verify state). However, Auth0 failed to create the cookie from the url query “state”? So technically speaking the cookie is not yet created so it can’t be expired?

thanks for your patience :slight_smile: