Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Getting AuthStateMissing/social-auth/complete/{backend}/ error

See original GitHub issue

I have read the discussions on this bug report https://github.com/omab/python-social-auth/issues/534, but unfortunately, I could not figure how to resolve my issue. I have just started working on the project that uses social django, and I apologise if I have asked a stupid question.

I am getting the following error in our production logs

EXCEPTION(most recent call first)
AuthStateMissing: Session value state missing.
  File "django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "newrelic/hooks/framework_django.py", line 499, in wrapper
    return wrapped(*args, **kwargs)
  File "django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "social_core/actions.py", line 41, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "social_core/utils.py", line 252, in wrapper
    return func(*args, **kwargs)
  File "social_core/backends/oauth.py", line 388, in auth_complete
    state = self.validate_state()
  File "social_core/backends/oauth.py", line 90, in validate_state
    raise AuthStateMissing(self, 'state')

In our production, we have written our custom OAuth2 implementation a custom backend which does a 302 redirect to the redirect uri, which is deployed on a different host than our OAuth2 backend.

{
    logMessage:  "Removing session from scope."     
    severity:  "DEBUG"     
    sourceLocation: {
     file:  "/base/data/home/apps/s~myproject-hrd/master-5-22-2.409769015905238004/sql/sessions.py"      
     functionName:  "managed_session"      
     line:  "89"      
    }
    time:  "2018-05-18T15:25:35.060309Z"     
   }
  ]
  megaCycles:  "116"   
  method:  "GET"   
  requestId:  "5afef06e00ff0eb200ff5fa38dcb0001737e6f7074696d697a656c792d68726400016d61737465722d352d32322d32000100"   
  resource:  "/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&state=8wMwIRZBpIFyxID3bZQr8Hr53xsfdJWt&scopes=all"   
  responseSize:  "374"   
  startTime:  "2018-05-18T15:25:34.963072Z"   
  status:  302   
  traceId:  "674fbe9ae6e31083640017c40f339010"   
  urlMapEntry:  "main.app"   
  userAgent:  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"   
  versionId:  "master-5-22-2"   
 }

Our pipelines

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.mail.mail_validation',
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
   . . . .  other pipelines . . . 
)

These are all the logs that I have. I don’t know what I could be doing wrong for this to be raised. Any suggestions would be gratefully appreciated.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:9 (1 by maintainers)

Top GitHub Comments

4reactions

zaincommented, Nov 8, 2018

Another thing to try if you are seeing the AuthStateMissing error: in settings.py, add SESSION_COOKIE_SAMESITE = None.

In my case, I only saw the error on Safari upon the redirect in the last leg of Oauth. The weirdest part was that I could refresh the page and the error would go away.

Upon further digging, I realized Safari wasn’t sending any cookies on the redirect, but would send cookies when I hit refresh (so the cookies were set correctly, just not being sent). I found the SESSION_COOKIE_SAMESITE setting which, by default, will strip your cookies on that redirect, and thus Django cannot find your session.

2reactions

krnsingh09commented, Sep 6, 2019

I was also facing the same issue. But changing SESSION_COOKIE_SAMESITE from ‘strict’ to None solved the same for me. Actually making the SESSION_COOKIE_SAMESITE to strict will make the cookie differentiate to single site for that cookie and the error comes. So making SESSION_COOKIE_SAMESITE to None won’t have any problem in switching from different sites

Hence, check this in your settings,py if this can solve your problem