"webAuth.popup.authorize()" throwing "`state` does not match" error in callback - Angular SPA


Auth0 team - thank you for a great tool for handling heavy auth duties.

Within our Angular5 app, we have regular webAuth.authorize() flow with in-tab redirection implemented, but want to implement it popup mode now, as it makes more sense in scope of feature being developed, so I went on and implemented webAuth.popup.authorize({}, callback), according to info from docs and some useful posts here.

I end up getting the following error in my callback from above (tried with both auth0-js 8.12.3 and 9.7.3):

  code: "invalid_token",
  description: "`state` does not match.",
  original:  {
    error: "invalid_token",
    errorDescription: "`state` does not match."

Here is the flow I follow:

  1. On app load, in my shared Angular service AuthService, I initialize a new instance of Auth0:
  import * as auth0 from 'auth0-js';
  webAuth = new auth0.WebAuth({
    clientID: CONFIG.clientID,
    domain: CONFIG.domain,
    responseType: 'token id_token',
    audience: 'auth_api',
    redirectUri: `${CONFIG.clientEndpoint}/auth-callback`,
    scope: 'openid profile email',
    leeway: 10
  1. From component class, upon user interaction I invoke the following public method in the same Angular service AuthService:
public popupLogin() {
      redirectUri: `${CONFIG.clientEndpoint}/auth-callback`
    (err, response) => {
      console.log({err}, {response});
  1. In component which handles the redirectUri, a following logic is triggered:
const webAuth = new auth0js.WebAuth({
  clientID: CONFIG.clientID,
  domain: CONFIG.domain

note - the code above is according to this comment and this post - Auth0.js Popup Autoclose.

for more clarity - here’s the whole flow of the callback’s page component’s logic:

export class AuthCallbackComponent {

  constructor(private auth: AuthService) {
      .subscribe(() => {
        const webAuth = new auth0js.WebAuth({
          domain: CONFIG.domain,
          redirectUri: `${CONFIG.clientEndpoint}/auth-callback`,
          popupOrigin: CONFIG.clientEndpoint
      }, e => {

here is handleAuthentication method from AuthService:

public handleAuthentication() {
    const parseHashAsObservable = Observable.bindNodeCallback(this.webAuth.parseHash.bind(this.webAuth));

    return parseHashAsObservable().pipe(
      switchMap((authResult: any) => {
        if (authResult && authResult.accessToken && authResult.idToken) {
          window.location.hash = '';
        } else {
          return _throw(new Error('Authentication failed'));

My assumption is that there is miscommunication between, essentially 2 spa’s - one that triggered popup to open, and another is the app, that loaded inside the new popup window when /auth-callback route was navigated to.

Will greatly appreciate any hints or thoughts - thanks in advance!

:wave: @roman.h Would it be possible to provide a HAR file of the error being thrown? You can find instructions on how to create it here: https://auth0.com/docs/support/troubleshooting-with-har-files and please DM me the file

Hey Kim!
Thanks for getting back to me.
Will do and will send it out to you shortly.

Great, thank you very much! I am going to take a look at it now.

1 Like

any news about this ? i have same problem on react spa

Hi @maiziying

No news from Auth0 team yet.
I ended up going the redirection route, and it worked well.

Were you able to solve this @kimcodes? I’m having the exact same problem with "state does not match." when using the popup callback in our angular application.

I even put together a sample repo where I get the exact same error: https://github.com/mickeeri/auth0-popup-example/tree/master/login-with-popup. It is basically the auth0 angular example application with added popup authentication.

Thanks in advance.

Hello! The code in OP’s post looks like a hybridization of popup flow combined with redirection. The error with invalid token due to mismatched state often occurs because of a crossing of origins between the callback handler and the app’s domain. Here are some important distinctions to make when implementing popup mode:

  • The callback page, in this case, needs to live outside of the Angular application on your server. It’s just a static page that is not part of your SPA. It should, however, be of the same origin as your app. If you’re working with the CLI and using the CLI’s serve capabilities, you can do this by using a proxy.
  • You do not need to do any hash parsing when using popup mode (parseHash is specific to redirect mode). Popup mode will automatically return your authentication results from the authorize endpoint callback instead.

I am currently in the process of writing a full Angular tutorial on implementing popup mode; the tutorial isn’t written yet, but the sample app is thoroughly under way, and I would be happy to share the application code as soon as it’s completed and made public (should hopefully be sometime in the next couple of weeks).

The response that was posted by @jmangelo here:

is an accurate summary of what needs to happen in the redirect static page that lives on the server.

1 Like