Always "Invalid state" in v1.2

[jstayton]

Hey 👋

I just tried upgrading from v1.1.1 to v1.2 (doesn't matter which patch version), and I now get an "Invalid state" error 100% of the time when calling handleRedirectCallback. I've tried in both Chrome and Firefox, cleared cookies, etc. I didn't change any code – just the version number in package.json.

I'm happy to provide more details, I'm just not sure what would be helpful to know in this case. Let me know. Thanks!

[wdrobinson]

I'm seeing the same issue.

[luisrudge]

I just ran our default react quick start (with an updated version of the SDK) and it worked.

Can you please try this to see if it works with you as well? https://auth0.com/docs/quickstart/spa/react/01-login?download=true

[Schmaga]

I can confirm that we are having the same problem. Might it have something to do with being in a legacy tenant plan? We are using two tenants, one with a new free plan, one with a legacy plan. With the legacy plan, we are getting the error. The new tenant works. Just a thought. Have tried many other different things, none have helped, yet.

We have an angular 8 application, using an integration approach similar to your quickstart. Up until 1.1.1 we did not have any major issues.

I can also confirm that downgrading to 1.1.1 makes everything work again :)

[jstayton]

@luisrudge The React quick start works for me as well with v1.2.2.

Here's how I'm creating the client, if it helps:

createAuth0Client({
  audience: 'http://localhost:3000',
  client_id: 'BmQe...',
  domain: '{my-development-domain}.auth0.com',
  redirect_uri: `${window.location.origin}/login/callback`
})

[Schmaga]

Some more information: We are also getting Invalid State errors like this with version 1.1.1, but only with a few clients and not all the time, which is very weird:

Error: Invalid state
    at t.<anonymous> (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:333211)
    at https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:313979
    at Object.next (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:314084)
    at https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:313022
    at new M (https://web.my-app.app/polyfills-es2015.e9d02e561e557b4fb791.js:1:59695)
    at a (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:312799)
    at t.handleRedirectCallback (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:332791)
    at q.project (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:931852)
    at q._tryNext (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:575564)
    at q._next (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:575482)

The errors also sometimes come paired with the following, leading to a breakdown of the whole login-flow on some browsers and platforms, but working in others:

TypeError: Cannot read property 'split' of undefined
    at iss (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:329816)
    at t._verifyIdToken (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:330660)
    at t.<anonymous> (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:333444)
    at https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:313979
    at Object.next (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:314084)
    at c (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:312855)
    at s.invoke (https://web.my-app.app/polyfills-es2015.e9d02e561e557b4fb791.js:1:53113)
    at Object.onInvoke (https://web.my-app.app/main-es2015.2c76e8149da929396d9c.js:1:633354)
    at s.invoke (https://web.my-app.app/polyfills-es2015.e9d02e561e557b4fb791.js:1:53053)
    at i.run (https://web.my-app.app/polyfills-es2015.e9d02e561e557b4fb791.js:1:48622)

From the logs it seems that we have been having this problem since migrating to the new auth0-spa-js library. No entries like that before. I am not sure if this is related, but it certainly smells like a very very similar problem.

[luisrudge]

@Schmaga I tested the react quickstart with an old tenant and with a new one as well, both work 🤔 do you have any rules running in any of the tenants?

@Schmaga we had some conversations about the second error you're having: https://github.com/auth0/auth0-spa-js/issues/70#issuecomment-519611820 - The first one is pretty weird though!

@jstayton @Schmaga Can you please send a HAR file of the failed attempt to luis.rudge@auth0.com? I'll take a look ASAP.

[wdrobinson]

@luisrudge it's happening to me with an angular 8 app. It works fine using a non prod build but as soon as the --prod flag is added to the build the invalid state bug appears.

[luisrudge]

@wdrobinson perfect. Let me try that.

[luisrudge]

@wdrobinson I just tested this with our Angular QuickStart

• download
• open the root folder
• npm install
• npm run build
• cd dist/login-demo
• serve -s -p 3000 (this can be any local http server you are used to)

And this works as expected, no state errors. Can you please try that?

[wdrobinson]

@luisrudge just tested. Works fine using ng serve or ng build and fails with the error using ng serve --prod or ng build --prod.

[luisrudge]

@wdrobinson perfect. I reproduced the issue. Thanks! @jstayton are you still using angular?

[jstayton]

@luisrudge No, I'm using Vue.

[luisrudge]

@jstayton can you build a quick repro that I can test it? I'm assuming it has to do with how the code is being minified/bundled, but I'm still investigating.

[jstayton]

@luisrudge Yeah, I can try to throw something together. FWIW, I'm seeing this in development with Vue CLI, not just a production build like @wdrobinson found with Angular.

[kmaida]

I can reproduce this invalid state error in an Angular production build (ng build --prod) in the quick start using auth0-spa-js v1.2.2. If I roll back to v1.1.1 and then do a production build, the issue seems to go away.

[luisrudge]

Ok folks, I found the issue. Not sure why, but vue-cli and ng-cli are aggressively trying to minify our already minified code, causing issues with one of our dependencies (qss).

Because of this bug, when our code tries to get the query string from the URL, it doesn't find the state param and fails. I'm already investigating a fix ASAP.

[jstayton]

@luisrudge Great sleuthing! Thanks for your work on this.

[Enngage]

Just encountered this issue in prod builds of Angular 9. Awesome this is the works!

[luisrudge]

Fixed in version 1.2.3

[adstep]

Confirmed upgrading to 1.2.3 works for me!

[jstayton]

@luisrudge Thanks for your work on this, but unfortunately, v1.2.3 didn't fix this for me. I've emailed you a HAR file with the details.

[Enngage]

It fixed it for me. Thanks!

On Tue, Sep 3, 2019, 15:53 Justin Stayton notifications@github.com wrote:

@luisrudge https://github.com/luisrudge Thanks for your work on this, but unfortunately, v1.2.3 didn't fix this for me. I've emailed you a HAR file with the details.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/auth0/auth0-spa-js/issues/186?email_source=notifications&email_token=ABWOQR3HUQ4C46FVRFEBOF3QHZT6VA5CNFSM4IRRO2H2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5YIQZA#issuecomment-527468644, or mute the thread https://github.com/notifications/unsubscribe-auth/ABWOQRZG4WK64XWUWK6O2ELQHZT6VANCNFSM4IRRO2HQ .

[stevehobbsdev]

Yeah, I can try to throw something together. FWIW, I'm seeing this in development with Vue CLI, not just a production build like @wdrobinson found with Angular.

@jstayton It would be useful for us to see a repro from yourself to get to the bottom of this. We have a version of our Vue quickstart that has been upgraded to use the latest version of the SDK, and unfortunately I can't repro the issue there.

Could you perhaps try out this sample and compare the implementation with your own?

[wdrobinson]

Confirmed it's fixed for me as well!

[daviseford]

I am having this problem currently.

When users "Continue with Google", this fails silently in the background

Uncaught (in promise) Error: Invalid state
    at t.<anonymous> (auth0-spa-js.production.js:1712)

My app is set up using the React Quick Start instructions with no modifications to anything.

[luisrudge]

@daviseford does it work if you use username/pass instead of google? are you using Auth0's development keys?

[daviseford]

Yes, and yes. I just created a ticket #245 for this if you want to move this conversation.

[luisrudge]

Thanks! moving there.