laravel-auth0: Setting of state_handler in Auth0Service causes "Invalid state" error

Description

Upgraded from 5.2.0 to 5.3.0 and ran into this issue.

When I attempt to login I get a “Invalid state” error. Went through multiple threads and couple issues here and on other repos without success.

After some time of debugging I found the following line to be a issue: https://github.com/auth0/laravel-auth0/blob/a008725b0728ec1c6a104617d2d447ed4078c82c/src/Auth0/Login/Auth0Service.php#L55

Commenting it out made the login work again, but editing vendor files is no fix.

Attempted to find out why. Went into the SDK and dumped out the state, the store does not seem to contain anything. The state variable does never seem to get set. So the validate method returns false all the time. Maybe i’m incorrectly understanding how this should work.

Also is it supposed to set the state handler even if I have state_handler set to false in my config? Or is that config meant only for the SDK?

Reproduction

This might be specific to something in my project, a bit unsure still.

I’m using the database connection in Auth0, logging in with username and password.

My setup looks pretty much like this guide, with custom user handling: https://auth0.com/docs/quickstart/webapp/laravel#integrate-auth0-in-your-application

Only differences are the login and logout methods. On login i’m simply checking if user is logged in and then returning a login view if they’re not. On that view I have Lock.js setup and configured.

Maybe a relevant section from that configuration:

auth: {
    redirectUrl: '{{ $auth0Config["redirect_uri"] }}',
    responseType: 'code',
    params: {
        scope: 'openid profile name email'
    }
}

Environment

  • Version of this library used: 5.3.0
  • Version of the platform or framework used, if applicable: Laravel 5.8 and PHP 7.2
  • Other modules/plugins/libraries that might be involved: Using the latest SDK

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (8 by maintainers)

Most upvoted comments

Released!

https://packagist.org/packages/auth0/login#5.3.1

+1
joshcanhelp on Nov 15, 2019

@joshcanhelp One of our clients requires IdP initiated SSO which required the state_handler to be disabled for this one workflow. In all other cases it was possible to use state handling as recomended by Auth0.

+1
mraypold on Nov 13, 2019

I’m encountering similar issues when state_handler is set to false upon upgrading from 5.1 to 5.3

I’ve dug through some code and believe its related to this pull request. https://github.com/auth0/laravel-auth0/pull/135

If I manually set the constructor in Auth0Service to use the DummyStateHandler instead of the SessionStateHandler then everything works as expected. I believe this is how the library used to handle the scenario when state_handler was false.

I’ve been unsuccessful in using the Laravel IoC to construct Auth0Service with a DummyStateHandler. I believe this is because the constructor is expecting the SessionStateHandler class instead of the StateHandler interface.

The root of the issue appears to be here.

    /**
     * Auth0Service constructor.
     *
     * @param array $auth0Config
     * @param StoreInterface $sessionStorage
     *
     * @throws \Auth0\SDK\Exception\CoreException
     */
    public function __construct(
        array $auth0Config = null,
        StoreInterface $sessionStorage = null,
        SessionStateHandler $sessionStateHandler = null
    )
    {
        // Backwards compatible fallbacks
        if (!$auth0Config instanceof Repository && !is_array($auth0Config)) {
            $auth0Config = config('laravel-auth0');
        }
        if (!$sessionStorage instanceof StoreInterface) {
            $sessionStorage = new LaravelSessionStore();
        }
        if (!$sessionStateHandler instanceof SessionStateHandler) {
            $sessionStateHandler = new DummyStateHandler($sessionStorage);
        }

        $auth0Config['store'] = $sessionStorage;
        $auth0Config['state_handler'] = $sessionStateHandler;
        $this->auth0 = new Auth0($auth0Config);
    }

Apologies if this isn’t clear. I’ll try and clarify further if you have questions.

+1
mraypold on Nov 12, 2019
Read more comments on GitHub
← laravel-auth0: Error on custom repository and model
Lock.Android: IllegalStateException in GoogleIdentityProvider.onPermissionsRequireExplanation →