The OAuth2 'state' parameter is missing or doesn't match

[DMZakaria]

I am developing a mobile application using Jhipster and Jhipster-ionic along with cordova. Currently, I am using Token-based AngularJS Authentication (Satellizer) to Login with OAuth 2.0 and I have an issue with Spring Social, this is the exception in my logs

java.lang.IllegalStateException: The OAuth2 'state' parameter is missing or doesn't match.
 at org.springframework.social.connect.web.ConnectSupport.verifyStateParameter(Connec  tSupport.java:173)
   at org.springframework.social.connect.web.ConnectSupport.completeConnection(ConnectSupport.java:155)
at org.springframework.social.connect.web.ProviderSignInController.oauth2Callback(ProviderSignInController.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497) 

I did a debug on my back-End and the issue is coming from that function in ConnectSupport class

private void verifyStateParameter(NativeWebRequest request) { String state = request.getParameter("state"); String originalState = extractCachedOAuth2State(request); if (state == null || !state.equals(originalState)) { throw new IllegalStateException("The OAuth2 'state' parameter is missing or doesn't match."); } }

My state is well initialized by Satellizer but the originalState is always null.

You can check my post on stackoverflow

[bvulaj]

I'm having this issue as well, with a simple facebook signin using the spring social ProviderSigninController. The request goes out with the proper state param, and the request comes back with the proper state param, however, the check in verifyStateParameter always sees originalState as null.

[bvulaj]

Digging a bit deeper, it seems that the HttpSession itself is null, causing getAttribute to squash the exception and just return null. For what it's worth, I'm also using Spring Session.

[DMZakaria]

@bvulaj Thank's for your replay. do you have any idea how to solve this problem ?

[bvulaj]

That's as far as I've debugged it so far, but I am still looking. There is no HttpSession is found during the OAuth2 callback, and therefore since there is no HttpSession, there is no original state to compare to.

I don't imagine this is a Redis Session issue, but I'm also not sure. On the initial signin/signup call, the initial state seems to be persisted successfully in the Redis session.

core version: 1.1.4
fb version: 2.0.3

[habuma]

FWIW, I've tried this both with and without Spring Session (Redis) involved and haven't had any issues. That said, the HttpSession is ultimately provided by the container that the application is running in or (in the case of Spring Session) by Spring Session. Therefore, if the HttpSession is missing, then it gives appearance that something outside of Spring Social is failing for some reason.

Don't misunderstand this as me throwing blame to another project. I still am keenly interested in hearing more information that might advise this issue and will react with changes to Spring Social if necessary.

I'll leave this issue open for the time being, pending further information. At this point, I'm unable to recreate the issue. But if there is any other pertinent data you can provide that will help pinpoint the problem, please share it here and I'll attempt again to recreate the problem on my end.

[vauvenal5]

Well, I have another view on this matter. Given that I am using a microservice + JWT architecture; my users do not have sessions in this sense. Ultimately leading to the same problem that Spring Social can not find the original "state" attribute. I think the whole approach to saving the "state" into the session has to be reconsidered or at least not hard coded so that the SessionStrategy can be exchanged by custom strategies.

[myachb]

I ran into this issue today, My application was working perfectly fine. I just took a break for few hours and when I ran it again it started complaining about 'The OAuth2 'state' parameter is missing or doesn't match.'
The state param is first put into the session then the request goes out to facebook and the request comes back with the same state param but when spring is looking for session object to get the state param, it is not finding the session. I think it is not finding the session because when the request comes back it thinks that it is a different client (or host), even though the old HttpSession object still exists. The container maintains a HttpSession per client.
To my surprise I opened application in a 'incognito' browser and everything worked. Just like that. I think before something got cached and was causing the issue.

[ghost]

@habuma @bvulaj I'm following the latest docs and get the same issue:

2018-05-07 21:26:40.492 DEBUG 14226 --- [nio-8443-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/signin/facebook'; against '/signin/**'
2018-05-07 21:26:40.492 DEBUG 14226 --- [nio-8443-exec-2] o.s.security.web.FilterChainProxy        : /signin/facebook?code=AQDYVq7q_FeWKdFqhIfHfxochcHnFjHJ6qLdj16LEy3Apu_Lh1vsiewBtzOuB29PMmS6tOdpACO8x5wuUlx7TXku19dlgt4ydON4KuiGd2UwqWQhOCKtG5JctB1oahAyLM6wVZKFJ8-jRZkuzpVXG0PiPjZ_k__bRnRImaX9SQURuObxVIZLAKkLdPqhofP-fKa63tyTfTL19dM6-Bco_jxpjbMSwaePcfZ-K3Kh1Oi4dwuiqTKAotVuxQZvXhYmx6Jy0x7SkVs34dEASAskr2h0R1T5ub460FyX5xkru2qszlQd-TLj1qYguNImS9qIIP9tG0wk8m6_wDL0qzopWJ5f&state=c59e8e93-716e-44da-96e1-2fa5c3999932 has an empty filter list
2018-05-07 21:26:40.517 ERROR 14226 --- [nio-8443-exec-2] o.s.s.c.web.ProviderSignInController     : Exception while completing OAuth 2 connection: 

java.lang.IllegalStateException: The OAuth2 'state' parameter is missing or doesn't match.
	at org.springframework.social.connect.web.ConnectSupport.verifyStateParameter(ConnectSupport.java:173) ~[spring-social-web-2.0.0.M4.jar:2.0.0.M4]
	at org.springframework.social.connect.web.ConnectSupport.completeConnection(ConnectSupport.java:155) ~[spring-social-web-2.0.0.M4.jar:2.0.0.M4]
	at org.springframework.social.connect.web.ProviderSignInController.oauth2Callback(ProviderSignInController.java:228) ~[spring-social-web-2.0.0.M4.jar:2.0.0.M4]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_162]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_162]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_162]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_162]
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:209) [spring-web-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) [spring-web-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:877) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:783) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:974) [spring-webmvc-5.0.5.RELEASE.jar:5.0.5.RELEASE]

Is there anything I can do about this?

[aliakkaya]

We are facing the same issue, is there any update or workaround?

[ERROR] 2019-02-04 06:27:25.146 [ajp-nio-8009-exec-10] ProviderSignInController - Exception while completing OAuth 2 connection:
java.lang.IllegalStateException: The OAuth2 'state' parameter is missing or doesn't match.
        at org.springframework.social.connect.web.ConnectSupport.verifyStateParameter(ConnectSupport.java:173) ~[spring-social-web-1.1.6.RELEASE.jar:1.1.6.RELEASE]
        at org.springframework.social.connect.web.ConnectSupport.completeConnection(ConnectSupport.java:155) ~[spring-social-web-1.1.6.RELEASE.jar:1.1.6.RELEASE]
        at org.springframework.social.connect.web.ProviderSignInController.oauth2Callback(ProviderSignInController.java:228) [spring-social-web-1.1.6.RELEASE.jar:1.1.6.RELEASE]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:209) [spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) [spring-web-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:877) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:783) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:991) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:925) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:974) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:866) [spring-webmvc-5.0.8.RELEASE.jar:5.0.8.RELEASE]