passport-auth0: Unable to verify authorization request state.
I have not changed anything in my original set up (which worked up until last week). My auth0 strategy is as follows:
// Perform the login
app.get('/login', passport.authenticate('auth0', {
clientID: env.AUTH0_CLIENT_ID,
domain: env.AUTH0_DOMAIN,
redirectUri: env.AUTH0_CALLBACK_URL,
audience: env.AUTH0_AUDIENCE,
responseType: 'code',
scope: 'openid profile'
}),
function(req, res) {
res.redirect('/');
}
);
When a user goes to log in, they will be sent to the Auth0s authentication screen.
It lets me successfully log in to an account, however upon returning to this function:
app.get('/authenticate', passport.authenticate('auth0', { failureRedirect: '/' }, ),
function(req, res) {
console.log('called 4');
}
);
The failure re-direct is ALWAYS called. Even though when I check my account, it reports that a successful log in has happened.
So I added the custom call-back to the above function like so:
app.get('/authenticate', passport.authenticate('auth0', function(err, user, info) {
console.log("authenticate");
console.log(err);
console.log(user);
console.log(info);
}, { failureRedirect: '/' }, ),
function(req, res) {
...
}
);
Which now gives me the response:
authenticate
null
false
{ message: 'Unable to verify authorization request state.' }
What does this mean? I cannot find anywhere on the documentation or the community posts that states that on an average authentication method I would need to add a request state.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 17
- Comments: 19 (2 by maintainers)
I had the same error (
'Unable to verify authorization request state.'). Trusting the first proxy (my app is behind an nginx reverse proxy) solved it for me:I got the solution from https://www.npmjs.com/package/express-session#cookiesecure
Hope this helps someone! 😊
I also had this exact issue and was able to fix it by setting the Express Session module’s cookie.sameSite option to: false
cookie: { sameSite: false }
Had same issue, this thread was super helpful, but I also found that I needed to add sess.proxy = true
Referencing: https://community.auth0.com/t/redirect-too-many-times/35606/7
I got this error as well when setting
cookie: { secure: true }inexpress-sessionlocally. The reason for that is because I was using HTTP and so, the cookie was not being sent to Auth0. If you use a HTTPS connection, this wouldn’t be an issue. I fixed it by using https locally and the error is gone.More info here.
EDIT: Another reason this can happen in your production might be that you are using the default MemoryStore:
Source: https://www.npmjs.com/package/express-session#sessionoptions Source: https://www.npmjs.com/package/express-session#store
The default in-memory store can lead to problems in production if the application is deployed to several server instances or a single instance that recycles server processes.
Using a custom session storage for the express session would do the trick: https://www.npmjs.com/package/express-session#compatible-session-stores
I am getting the same problem. Surprisingly when I use it with localhost it works but as soon as I host in production which is Heroku for me it gives the same info message.