Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

State not valid (expected: null, received: .....) after password reset #1492

Open
przem opened this issue Jan 10, 2025 · 4 comments
Open

State not valid (expected: null, received: .....) after password reset #1492

przem opened this issue Jan 10, 2025 · 4 comments

Comments

@przem
Copy link

przem commented Jan 10, 2025

Issue and Steps to Reproduce

Here is the flow:
User enters application, clicks Submit, get forwarded to authorization server in the same tab. Url to authorize contains state parameter.
On AuthServer login screen, user clicks forgot password, provides email address and submits. In few seconds gets an email with a link to reset password. User clicks the link, that opens a new tab with a form and on submit, user is forwarded to the application. Callback contains code and the state parameter, same as on the beginning of the process.
Application shows error authentication page with errors:

- storage[oidc.login.default] is empty, you should have an bad OIDC or code configuration somewhere.
- Error: State not valid (expected: undefined, received: CBY4cjIuYqiqstIO)

I think key issue is that the second part of the process is continued in the new tab, where there is no state persisted in sessionStorage. But is lack of state in storage a reason why flow cannot be continued and get the token?

Before you ask, localStorage is not allowed for security reasons.

I think the flow describe is quite standard, so probably i might be doing something wrong.

Versions

"@axa-fr/oidc-client": "^7.24.0",
"@axa-fr/react-oidc": "^7.24.0",

Screenshots

Zrzut ekranu 2025-01-10 o 15 24 37

Configuration

export const configurationObj: OidcConfiguration = {
	client_id: env.VITE_AUTH_CLIENT_ID,
	redirect_uri: env.VITE_AUTH_REDIRECT_URI,
	scope: env.VITE_AUTH_SCOPE || 'openid profile email',
	authority: env.VITE_AUTH_AUTHORITY,
	service_worker_only: false,
	demonstrating_proof_of_possession: false,
};

Installed packages

"react": "^17.0.2",
"react-router-dom": "^6.2.1",
@magdalenapaluch
Copy link

I have the exact same issue, did you manage to solve it?

@przem
Copy link
Author

przem commented Jan 14, 2025
edited
Loading

I have the exact same issue, did you manage to solve it?

@magdalenapaluch Until it gets finally resolved we've setup the service worker, but its more a workaround.

@guillaume-chervet
Copy link
Contributor

Hi @przem , thank you for your issue.
The bug happen in session mode but not with the service worker ?
It will help me to understand.

@przem
Copy link
Author

przem commented Jan 20, 2025
edited
Loading

Yes, when service worker is enabled, there is no error and the application works as it should.
Problem occurs when no service worker and sessionStore is used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@przem @magdalenapaluch @guillaume-chervet