checks.state argument is missing

[maciekpaprocki]

Checklist

• [X] The issue can be reproduced in the express-openid-connect sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

Got quite a few of those errors happening in production. Weirdly, when i try to login every method works fine as well as I've seen bunch of people logging properly, so i think it's only affecting fraction of users.

i've seen https://github.com/auth0/express-openid-connect/issues/467 but that issue seems to be for very specific case, where I see small chance of my users actually ending up in this scenario. Not in those numbers ( happened 3-4 times for 12 registrations )

BadRequestError: checks.state argument is missing\n    at ResponseContext.callback (/var/app/current/node_modules/express-openid-connect/lib/context.js:354:15)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)"

Is it a bug? Any idea why is it happening? ( what user actions cause it ) How to deal with it?

• How to catch it? Seems check if for message and BadRequestError? I understand BadRequestError can happen in a lot more cases than only this.
• How to deal with it on UX side.

Reproduction

Pretty standard auth0 express backend app.

openidAuthConfig = {
    authRequired: false,
    auth0Logout: true,
    baseURL: DOMAIN,
    secret: AUTH0_SECRET,
    clientID: AUTH0_CLIENT_ID,
    issuerBaseURL: AUTH0_ISSUER_BASE_URL
}

Additional context

I can only find it in logs, I didn't experience it happening while I was testing so reproducing is pretty much game of numbers, or some particular emails or something like that.

express-openid-connect version

2.16

Express version

5

Node.js version

18

[adamjmcgrath]

Hi @maciekpaprocki - thanks for raising this

Take a look at https://github.com/auth0/express-openid-connect/issues/145#issuecomment-707024770 and https://github.com/auth0/express-openid-connect/issues/267#issuecomment-902715653 for an explanation of the error and some tips on debugging.

How to catch it? Seems check if for message and BadRequestError? I understand BadRequestError can happen in a lot more cases than only this. How to deal with it on UX side.

BadRequestError just means that the the client is making a bad request and the server can't log the user in. All you can do is prompt the user to try to login again (and also debug the underlying issue using the links I shared)

[adamjmcgrath]

Closing due to inactivity