-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CallbackHandlerError after Organization Invite #1337
Comments
Setting the cookie domain to the naked domain should allow you to logout, could you share a HAR file (with any secrets redacted) of logging out and then being logged back in again and I'd be happy to investigate. |
Hey Adam, Ultimately, I would like to keep the cookies scoped to the correct subdomain. Completing a regular login on a subdomain results in the appSession cookie domain value being |
In addition, here is a happy path version where I don't set any cookie domain settings. Instead of following the invite URL, I prepend the subdomain to it and everything works perfectly. ie. Can complete invite, and log out, no issues. Redirect URIs are same in both. |
Thanks for sharing the HAR file. I can see that the domain is not being included in the This looks like a bug in
You want the state cookie scoped to the naked domain (so you don't get the "CallbackHandlerError: Missing state cookie from login request") and the session cookies scoped to the subdomain. Currently both cookies share the same config so this is not possible, but I plan to make the state cookie name configurable, so I will make the other options (inc path and domain) configurable to - as part of #1297 |
Thanks a lot @adamjmcgrath! |
Checklist
Description
Context: I am developing a Next.js multi-tenant application. Subdomains map to organizations.
When inviting a user to an organization through Auth0 and following the invite URL, I am hitting the
CallbackHandlerError: Missing state cookie from login request (check login URL, callback URL and cookie config).
It looks like the cookie is being set on the wrong domain but I'm not quite sure on this or why. The invite goes through and is accepted on Auth0's end, but on the frontend, the error is shown.In my callback handler, I am using the subdomain as the
redirectUrl
, so something along the lines of https://sub.domain.com/api/auth/callback. There are no issues completing a login request, but when accepting an org invite, I run into the issues. My callback+login handler are using the sameredirectUri
and I'm using the subdomain URL as thereturnTo
(https://sub.domain.com)When sending the invitation to an org, the invitation URL is something like https://domain.com/api/auth/login?invitation=...orginization=.... I noticed if I prepend the relevant subdomain to this invitation URL, everything works as expected. I understand the cookie is not getting set in the correct place and as a result the callback is not working but I don't understand where the cookie is actually being set and the reason for this.
I have played around with the cookie config a lot. Setting the cookie domain to
domain.com
/.domain.com
/sub.domain.com
does allow the invite to be accepted and redirect to occur properly but then I can't log out. Logging out seems to clear the cookies, but then they appear again straight away. I have also triedSameSite=none
andSecure=true
but to no avail.Unfortunately it is not possible to append the organization to the Application Login URI on Auth0 the same way it is possible to do so on the Allowed Callback URLs. Not too sure on how to proceed here.
Thanks!
Login Handler
Callback Handler
Reproduction
Additional context
No response
nextjs-auth0 version
3.0.0
Next.js version
13.4.12
Node.js version
18.x
The text was updated successfully, but these errors were encountered: