Error: Invalid state. [GCP]

[marepa]

We do have this quote often and today - right as I was typing this report - it finally occurred to me. We use Google Cloud Platform + custom SSO server. And we think that the problem lies that there are 2 (or more) instances, so that user logged-in in the first one and trying to logged-in inside the second one gets this issue.

This problem seem to occur only when second instance of GCP is activated. Not in local ENV (Laravel Valet) and not in DEV (only 1 instance forced at a time).

What happend to me step by step

1. I logged in Friday evening to make changes
2. did not touch the website till today
3. opened website, go to login (wp-login.php)
4. click "Login with OpenID connect"
5. goes immediately back (because SSO server confirmed my logged in automatically)
6. see the "Invalid state"

Expected behavior
Logged in as usual

WordPress Environment

• Environment: nginx/1.18.0
• PHP Version: 8.2.21
• WordPress Version: 6.5.4
• Plugin Version: 3.10.0
• Identity Provider: custom SSO server

[timnolte]

I'm not clear on how this is a bug with the plugin. The state is generated by the plugin and is valid only for a certain amount of time. If the WordPress login page is left sitting for longer than 3 minutes then the state will have expired and will no longer be valid. The state is stored as a transient and generated when the login button is generated. I personally manage a large number of sites that are each using multiple web server instances and auto-scale and there isn't an issue except for when the Login page is left on a users screen for more than 3 minutes.

[marepa]

Yes, I found the code for 3min limit and everything around this. But this problem does not occur when you have 1 instance with GCP, but only if you have more (or the one you were connected to was deleted completely).

Our current idea is that the session is with previous instance and not on the one current one. But maybe we are wrong and should look for other things? Can this be like indication of something else?

[timnolte]

Are you using new object caches or databases with each instance? If you aren't sharing the same single object cache and/or database instances with each website instance then that is also going to be a problem. Generally the Invalid State error is due to either the IDP not sending back the state for validation in the request or the state has expired. If you have multiple object caches or database instances involved then it's also possible that the transients aren't available or not being replicated fast enough.

[marepa]

Ok, will test, thanks for the ideas.

[marepa]

Hi, we tried everything and disabled all caches. But basically we login via SSO and back to WP redirect => instant "Invalid state."

It is happening only in PROD where we have NGINX + GCP (multiple instances).