The OAuth2 'state' parameter is missing or doesn't match #216
Comments
I'm having this issue as well, with a simple facebook signin using the spring social ProviderSigninController. The request goes out with the proper state param, and the request comes back with the proper state param, however, the check in |
Digging a bit deeper, it seems that the |
@bvulaj Thank's for your replay. do you have any idea how to solve this problem ? |
That's as far as I've debugged it so far, but I am still looking. There is no HttpSession is found during the OAuth2 callback, and therefore since there is no HttpSession, there is no original I don't imagine this is a Redis Session issue, but I'm also not sure. On the initial signin/signup call, the initial state seems to be persisted successfully in the Redis session. core version: 1.1.4 |
FWIW, I've tried this both with and without Spring Session (Redis) involved and haven't had any issues. That said, the HttpSession is ultimately provided by the container that the application is running in or (in the case of Spring Session) by Spring Session. Therefore, if the HttpSession is missing, then it gives appearance that something outside of Spring Social is failing for some reason. Don't misunderstand this as me throwing blame to another project. I still am keenly interested in hearing more information that might advise this issue and will react with changes to Spring Social if necessary. I'll leave this issue open for the time being, pending further information. At this point, I'm unable to recreate the issue. But if there is any other pertinent data you can provide that will help pinpoint the problem, please share it here and I'll attempt again to recreate the problem on my end. |
Well, I have another view on this matter. Given that I am using a microservice + JWT architecture; my users do not have sessions in this sense. Ultimately leading to the same problem that Spring Social can not find the original "state" attribute. I think the whole approach to saving the "state" into the session has to be reconsidered or at least not hard coded so that the SessionStrategy can be exchanged by custom strategies. |
I ran into this issue today, My application was working perfectly fine. I just took a break for few hours and when I ran it again it started complaining about 'The OAuth2 'state' parameter is missing or doesn't match.' |
@habuma @bvulaj I'm following the latest docs and get the same issue:
Is there anything I can do about this? |
We are facing the same issue, is there any update or workaround?
|
I am developing a mobile application using Jhipster and Jhipster-ionic along with cordova. Currently, I am using Token-based AngularJS Authentication (Satellizer) to Login with OAuth 2.0 and I have an issue with Spring Social, this is the exception in my logs
I did a debug on my back-End and the issue is coming from that function in ConnectSupport class
private void verifyStateParameter(NativeWebRequest request) { String state = request.getParameter("state"); String originalState = extractCachedOAuth2State(request); if (state == null || !state.equals(originalState)) { throw new IllegalStateException("The OAuth2 'state' parameter is missing or doesn't match."); } }
My state is well initialized by Satellizer but the originalState is always null.
You can check my post on stackoverflow
The text was updated successfully, but these errors were encountered: