CSRF mismatch because of missing cookies

Describe the bug We are currently having trouble with our custom provider because the state verification fails:

[next-auth][error][callback_oauth_error] Error: Invalid state returned from oAuth provider

I looked further into it (with some quick and dirty console.log) and noticed, that the CSRF cookie is renewed after the final redirect and therefore causing a CSRF mismatch.

This seems to be a symptom of not being able to retrieve the expected cookie (next-auth.csrf-token) after returning from the provider. Indeed, both NextAuth cookies (next-auth.csrf-token and next-auth.callback-url) are missing on the GET request that hits /api/auth/callback/custom?code=abc&state=xyz as part of the OAuth callback. But other session cookies used by our application can be found within that request.

Steps to reproduce I am not able to provide a detailed reproduction as this may also depend on the configuration of our internal provider, sorry.

Expected behavior I expect the previously issued CSRF cookie to be found after authenticating on the provider and the state verification to pass.

Additional context As far as I can see, the cookie cannot be found on line 160, the check on 171 fails and then the cookie gets recreated on 176:

https://github.com/nextauthjs/next-auth/blob/78fd783bac990d8f2109487ac6598a38e3173f40/src/server/index.js#L160-L177

Feedback

Found the documentation helpful
Found documentation but was incomplete
Could not find relevant documentation
Found the example project helpful
Did not find the example project helpful

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:22 (10 by maintainers)

Top GitHub Comments

3reactions

timonwebercommented, Jan 25, 2021

@iaincollins Thanks for looking into this. I am happy to provide the details you asked for:

We are only using a single custom provider at the moment, which implements our own OAuth server (based on oidc-provider).
Everything is set up with the Client API. The described issue is related to a signIn() call.
We saw this in production first (local and staging environment were working fine), but last week it started to happen on my local machine as well. Very wild… 🤷

@balazsorban44 Thank you for the ping. I will try out the canary release and let you know if this changes the issue somehow.

@af608 Thanks for provide some more details. Indeed, it seems to be related to Safari…

2reactions

timonwebercommented, Apr 28, 2021

@balazsorban44 Thanks for the update and sorry for the late reply! I finally found the time to upgrade NextAuth to v3.18.0 (built-in types, yey!). I can confirm that the state issue is gone as I can see the following in the server console now:

[next-auth][debug][oauth_callback_protection] Comparing received and expected state {
  state: '2b03d568ce05161ea9f5df9b13187ae00e927214c31a5f6133bb79208cef1c98',
  expectedState: '2b03d568ce05161ea9f5df9b13187ae00e927214c31a5f6133bb79208cef1c98'
}

But unfortunately I am still not able to upgrade, because the whole authentication flow is broken for me in newer versions as described in my comment above. Even adding your custom cookies configuration does not help. Should I open a new issue about that?