Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Passwordless with email results in `invalid state` intermittently
See original GitHub issuePlease do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Describe the problem
When using a passwordless login, with link as the passwordless option, the quickstart configured with our tenant always results in an
Invalid Stateerror. This error could be originating from auth0-spa, but presents reliably in the basic quickstart for login located here. In some cases, this login does work correctly, but there seems to be some character in the URL that throws an error on the client side, however, the tenant reports it as a successful login.
What was the expected behavior?
A successful login with no
Invalid Stateerror with passwordless login
Reproduction
Detail the steps taken to reproduce this error, and whether this issue can be reproduced consistently or if it is intermittent. download and configure https://auth0.com/docs/quickstart/spa/react/01-login with a new tenant and
- Fire a
loginWithRedirectusing theuseAuth0hook - Fill in your email
- Click the link in your email and see the redirect back to your application
- Witness the
Oops... Invalid statein the bare sample
Can the behavior be reproduced using the React SDK Playground?
I did not try this, the sample and our main application seemed like enough
If so, provide steps:
Where applicable, please include:
- The smallest possible sample app that reproduces the undesirable behavior
- Log files (redact/remove sensitive information)
- Application settings (redact/remove sensitive information)
clientIdanddomain(these are publicly available)- Screenshots
Environment
Please provide the following:
auth0-react1.1.0 & 1.4.0- Chrome, Firefox
- React
- auth0-spa-js
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @qbunt - by default we store the login transaction state in
sessionStorage, but this doesn’t work for passwordless, since you don’t complete the OAuth flow on the same tab you started it.For Passwordless, you should use cookies to store the transaction state, you can enable this with the useCookiesForTransactions option. eg
The auth0-react docs havn’t caught up with the spa-js docs, will make sure they do on the next release.
@adamjmcgrath Appears to solve our use case, there’s no way I would have found that in the docs, maybe a special callout for passwordless would be good, we were super stumped. Thanks for getting back to me