Failed to validate data received from Authorization service - Could not validate state

[Saikumar-Hexaware]

I have cloned the repo and configured the properties accordingly but I am getting the below error: Failed to validate data received from Authorization service. Please help with this.

[aherceg]

I have cloned the repo and configured the properties accordingly but I am getting the below error: Failed to validate data received from Authorization service. Please help with this.

Same here. Debugging revealed that no cookie named 'msal_web_app_auth_state' is stored.

[sangonzal]

@Saikumar-Hexaware @mfwvo9 Can you share the browser and the browser version you are using?

[Saikumar-Hexaware]

@sangonzal browser is Google Chrome and version is Version 79.0.3945.117 (Official Build) (64-bit).

[aherceg]

@Saikumar-Hexaware @mfwvo9 Can you share the browser and the browser version you are using?

Chromium Version 79.0.3945.130 (Developer Build) built on Debian 10.2, running on Debian 10.3 (64-bit)

[anushka-c]

I am getting the same error. Looks like there is no state & nonce parameter in the request header. I am using chrome version 80 32-bit. the code doesn't work at all on IE. is it a browser issue or something else. Please help.

[anushka-c]

which cookie should we check as msal_web_app_auth_state is not stored. Its either CCState or SignInStateCookie. Also facing same error for nonce. No nonce cookie stored.

[kakachen]

I am having the same issue here. I tried to set up to SSL instead but my Ajax got blocked...

[navyasric]

Since most of you are experiencing the issue on Chrome browser, this may be related to SameSite updates. Please take a look at this article: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser?tabs=java

We have updated this sample to handle the SameSite issues [here] (https://github.com/Azure-Samples/ms-identity-java-webapp/pull/24). Let us know if this does not resolve the issues. CC: @SomkaPe - FYI

[johnbyers]

@navyasric , it looks to me like the SameSite fix you referenced has been reverted. Can we have some more guidance on how to fix the issue?

[rainbowrain0912]

@navyasric I'm getting the same issue. Has this been fixed?

[Avery-Dunn]

@rainbowrain0912 : Are you still getting an error when using the latest version the sample? If so, could you post any error messages or a description of what you're running into?

[rainbowrain0912]

Yes. I'm getting : Failed to load resource: the server responded with a status of 404 () during authentication. It's not reaching SAFELogin.html. Did I miss something?

In my AuthPageController.java, I basically just modified the @RequestMapping

@RequestMapping("/cqm-DEV")
    public String homepage(){
        return "index";
    }
    @RequestMapping("/cqm-DEV/SAFELogin.html")
    public ModelAndView securePage(HttpServletRequest httpRequest) throws ParseException {
        ModelAndView mav = new ModelAndView("auth_page");
        setAccountInfo(mav, httpRequest);
        return mav;
    }

[Avery-Dunn]

@rainbowrain0912 : After you changed the default path from /msal4jsample/secure/aad to /cqm-DEV/SAFELogin.html, did you also change the path of the redirectUriSignin property in application.properties and add it to your app in Azure?

Assuming you're using still using the default localhost and port values, in application.properties the redirectUriSignin line should be: aad.redirectUriSignin=https://localhost:8443/cqm-DEV/SAFELogin.html

And for your app registration in Azure, in the Authentication panel you should add that URL in the same way you added the other two redirect URLs in step 5 of the 'Register the app' section of the README.

If you're still getting the error after confirming that's all configured consistently, try reverting any changes you've made to default paths, both in the code and in your app registration in the Azure portal, and seeing if the error persists.

[rainbowrain0912]

Thank you for your reply. I got it to work now.

My AuthPageController.javaand application.properties were updated already.

What I missed earlier was to modify this part of Authfilter.java since I didn't use the default URIs. private List<String> excludedUrls = Arrays.asList("/", "/msal4jsample/"); I changed it to: private List<String> excludedUrls = Arrays.asList("/", "/victory/cqm-DEV/");

It worked fine after the change.

[HarishA-DotCTech]

Check if Samesite cookies entries exists in Apache configuration or Tomcat configuration (context.xml). If yes remove them. Then session will hold the attributes. Hence above exception will vanish.

 Add SameSite to the cookies 
  <CookieProcessor 
        sameSiteCookies="strict" />

[cosmicsvilwarp]

Hi, I seem to still be getting the above hence causing my browser to redirect indefinitely when attempting to login. My application when deployed currently lies on an app service. The error is not reproducible in local as login works properly when in local.