New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: Invalid state returned from Google oAuth provider on production #656
Comments
Hmm we have seen folks run into this before.
I think at least one of these can cause that problem. We really need to create a ticket to capture improving the debugging here before I forget about it again - if we logged the response at this point it would probably be saying what was wrong in the console. |
Im seeing the same issue - but only on first login of a session. Try immediately again and all is fine. The error returns after logging in again after about |
Having the same issue here, but using Facebook provider. Any luck solving this yet? |
Just found out that the problem was with a firebase import. Basically, it just requires firebase-admin, initializes using serviceAccount and exports admin.firestore() I'm still trying to understand why this error is happening when using firebase-admin... |
@shrmaky Double-check your |
If you're using the |
Thanks @JNussens i will try. |
Hey I'm having this same issue. I am convinced that the latest version of iOS or Safari for iOS broke authentication with Google. I've tested this an ungodly amount of times. I ONLY get this error when I try to login from an iPhone. I tested Android, Windows and Chrome in MacOS. It's all good. I'm absolutely positively sure that my code and callback URL's, Client ID and Secret are correct. Otherwise, I would not be able to login from any other device. Here's my next-auth config.
|
i am facing the same problem. It happens randomly, most of the time everything works just fine and sometime it's not. I am using the same config. |
@anerror404 Are you using PWA with your app? I think that's what causing the issue. See here. |
i am not using PWA. It works perfectly 95% of time i guess. Suddenly stop working when user try to login with facebook or google. Even sometime it works in one device and doesn't in another device at the same time. Sometimes i get this error when user click on the social login icon, sometimes when user clicks on the social login icon, choose the user account. It's causing me serious problem as i m running an e-commerce site. People can't order without login. |
@anerror404 in #952 @martinatwainobicom provided a solution. // [...nextauth].js
Providers.Google({
clientId: process.env.NEXTAUTH_GOOGLE_ID,
clientSecret: process.env.NEXTAUTH_GOOGLE_SECRET,
state: false, // Disable the state feature
}), It worked for me, but apparently, this opens a CSRF attacks vulnerability. I cannot advice you to use it because I don't know the implications of this solution. This is what the documentation says about the state:
|
I also had a problem with Google and Facebook providers not allowing me to log in from Safari on iOS.
|
@fiftie Thanks for that detail, will look at that in the upcoming release and see if I can reproduce and if we can come up with a fix. The client should definitely be doing that automatically. |
@returndiego
I've only just seen this message! Thanks for the detail. That's really helpful.
Hey, that's great! Disabling state for a provider using I think how we are doing state has been refactored a bit in canary, so will be interesting to see if it resolves itself. If this fix resolves the issue on iOS though it's perfectly fine and I think we'd consider making it the default for Google if we can't get to the bottom of it. I saw this as it was tagged in #1179 @timonweber and that's interesting and might be worth exploring. I wonder if there is something else about how Safari works on iOS that is triggering this and that we might need to look at. Welcome feedback from anyone else who has run into this issue and if the suggested fix resolves it for them. |
@iaincollins Also, this problem was reproduced with |
Hi @balazsorban44, I am seeing the same issue using the latest canary build [3.2.0-canary.35]. I added a comment with some more details here: (#1179) |
@iaincollins @balazsorban44 3.2.0-canary.35
3.1.0
|
interesting. could you enable logging with the |
@iaincollins
PS:
|
This comment has been minimized.
This comment has been minimized.
I'm having the same issue - can login fine on |
Could someone from here check if modifying the cookies config as defined here: #1664 (comment) makes any difference? |
For folks using next-pwa, latest version should fix this problem for you |
Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks! |
Hi there! It looks like this issue hasn't had any activity for a while. To keep things tidy, I am going to close this issue for now. If you think your issue is still relevant, just leave a comment and I will reopen it. (Read more at #912) Thanks! |
Issue for me was my site was accessible with both www and non-www, my |
I was able to reproduce this issue in my production app, and it ended up being the same problem mentioned by @Ash-Kay in the previous comment. Every time I accessed the web app without using "www" in the URL, the OAuth error would be thrown. In the same way, if I logged in using the WWW domain, and then manually removed the "www" portion of the URL and reloaded the page, the NextAuth session would be dropped. Like in @Ash-Kay's case, I was able to make the changes to my Nginx config to redirect the non-WWW requests to the WWW domain. |
@Ash-Kay @donovanperalta Solved it by redirecting my www to non www version of my domain. Amazing insight, thank you so much guys!!! |
Running into this same issue on Google Cloud Run. Site works great locally. Have added all production URLs into Google API page. Have even tried messing about with |
Hello everyone,
My Next-Auth application works completely fine when am running this in local environment, the redirection from google, and session registration in MongoDb is working fine,
When am trying to run the same application with same google id & secret in production, it is throwing Error: Invalid state returned from oAuth provider
Already SET the valid NEXTAUTH_URL, DATABASE_URL, GOOGLE_ID & GOOGLE_SECRET
Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.
The text was updated successfully, but these errors were encountered: