Unable to verify authorization request state.

See original GitHub issue

I have not changed anything in my original set up (which worked up until last week). My auth0 strategy is as follows:

	// Perform the login
	app.get('/login',  passport.authenticate('auth0', {
	    clientID: env.AUTH0_CLIENT_ID,
	    domain: env.AUTH0_DOMAIN,
	    redirectUri: env.AUTH0_CALLBACK_URL,
	    audience: env.AUTH0_AUDIENCE,
	    responseType: 'code',
	    scope: 'openid profile'
	  }),
	  function(req, res) {
	    res.redirect('/');
	  }
	);

When a user goes to log in, they will be sent to the Auth0s authentication screen.

It lets me successfully log in to an account, however upon returning to this function:

	app.get('/authenticate', passport.authenticate('auth0', { failureRedirect: '/' }, ), 
		function(req, res) {
			console.log('called 4');			
	  	}
	);

The failure re-direct is ALWAYS called. Even though when I check my account, it reports that a successful log in has happened.

So I added the custom call-back to the above function like so:

    app.get('/authenticate', passport.authenticate('auth0', function(err, user, info) {
        console.log("authenticate");
        console.log(err);
        console.log(user);
        console.log(info);
    }, { failureRedirect: '/' }, ), 
		function(req, res) {
                    ...
	  	}
    );

Which now gives me the response:

authenticate
null
false
{ message: 'Unable to verify authorization request state.' }

What does this mean? I cannot find anywhere on the documentation or the community posts that states that on an average authentication method I would need to add a request state.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:15
  • Comments:19 (2 by maintainers)

github_iconTop GitHub Comments

27reactions
markusdoschcommented, Apr 8, 2019

I had the same error ('Unable to verify authorization request state.'). Trusting the first proxy (my app is behind an nginx reverse proxy) solved it for me:

if (process.env.NODE_ENV === 'production') {
  app.set('trust proxy', 1); // trust first proxy
  sess.cookie.secure = true; // serve secure cookies, requires https
}

I got the solution from https://www.npmjs.com/package/express-session#cookiesecure

Hope this helps someone! šŸ˜Š

15reactions
commanderfuncommented, Oct 25, 2018

I also had this exact issue and was able to fix it by setting the Express Session moduleā€™s cookie.sameSite option to: false

cookie: { sameSite: false }

Read more comments on GitHub >

github_iconTop Results From Across the Web

User not found in Auth0"} & { message: 'Unable to verify ...
Noticed an info it throws in Server Console: info { message: 'Unable to verify authorization request state.' } And getting below error onĀ ......
Read more >
Unable to verify authorization state on Heroku - Stack Overflow
So the weird thing is when I try to login, it works the second time but the first time, I get the error...
Read more >
How to use the state parameter in passport-okta-oauth?
However , when I pass state parameter in my request. I get the following error : { 'message': 'Unable to verify authorization request...
Read more >
"Unable to verify authorization request state." while setting up ...
I'm working on setting up SSO through OpenID for our organization to embed Sisense into our own application, however after authenticatingĀ ...
Read more >
There was an error in the OIDC connector
{ā€œmessageā€:ā€œUnable to verify authorization request state.ā€} For more information, consult the kibana logs. This is displayed AFTER beingĀ ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found