Invalid State error 100% of the time

[stoicbuddha]

Description

When I try to log in via wp-admin or the Lock popup, I get There was a problem with your log in: Invalid state [error code: unknown]. From what I can tell, it's having problems validating the JWT value but I'm not sure why.

Environment

• WP-Auth0 version: 3.8.1 (I've seen this with 3.6.2 though as well)
• WordPress version: 4.9.6
• PHP version: 5.6.38
• Lock version: 11.12.1 (same issue with 11.1 and 11.2 though as well)

Reproduction

Go to https://www.gfntv.com/wp-admin and try to log in with the following test acct credentials:
Email: [email protected]
PW: password

Interestingly enough, there are no logs that display errors on this front; the plugin logs are empty and the Auth0 logs on the dashboard show success for silent auth on login attempts.

Every once in awhile (I can't seem to replicate this with any kind of certainty), the login itself actually works, but still throws the error. When you go back to login again, it redirects you to the homepage. I would say this happens about 5% of the time, if I had to guess.

Auth0 Settings for this site are here.

[joshcanhelp]

Sorry for the trouble here @stoicbuddha ... best place to start with this is our troubleshooting guide here:

https://auth0.com/docs/cms/wordpress/invalid-state

If you walk through all those steps, you should be able to figure out the issue. Otherwise, there are instructions for how to generate a HAR file, which you can post here (redacting anything sensitive) or email directly to me (let me know and I'll send my email address).

[stoicbuddha]

Hey @joshcanhelp

There is an error in the docs: wpAuth0LockGlobal.auth.settings.state should be wpAuth0LockGlobal.settings.auth.params.state, per the page source and your sample json.

Outside of that, the site is on WP Engine which has some pretty aggressive caching, but I still get x-cache: MISS on every call, so I'm not sure if caching is the problem. I created a HAR; send me your email address and I'll send it your way.

[joshcanhelp]

@stoicbuddha - Thank you for pointing that out. I'll get that corrected when I address the rest here.

We've had recurring problems with WP-Engine and caching (not that they are doing something wrong, just that their caching is aggressive, as you mentioned) and I was actually working on an addition to that troubleshooting guide that addresses them specifically. The way to validate that this is the issue or not is to try this out the same way on a staging site, where that caching is not present. If it works there, then that's the issue we're trying to resolve. There is more information here:

https://community.auth0.com/t/invalid-state-error-during-auth0-wordpress-redirect/12552/10

It looks like the issue is cookies being cached and not being read properly. In that thread, you'll see that the folks having the issues contacted support and had that specific cookie, auth0_state, excluded (or maybe had requests with that cookie excluded? I'm not totally clear on that yet).

I'm chatting with WP-Engine now to get an instance setup and will report back as soon as I have anything else to share.

[stoicbuddha]

@joshcanhelp Thanks for getting back to me. I'll await your response on this to see where I go from here.

[joshcanhelp]

@stoicbuddha - I just tested this out in a production WP-Engine environment and I was not able to reproduce it in either a regular database or a custom one (user migration), object caching both on and off. I know this is an issue because we've also had support tickets about it but I'm not sure where to go from here.

Do you have any custom caching set up? Any other custom settings/plugins that might be relevant?

[joshcanhelp]

Just FYI on this, I have a ticket open with WP-Engine to investigate a root cause here. I'll leave this open until we have either a fix in place or documentation. In the meantime, I updated the troubleshooting guide linked above.

[joshcanhelp]

@stoicbuddha - I'm still not able to reproduce this issue but worked with WP-Engine to determine that this is likely related to caching and cookies, as I suspected. I added the fix you mentioned above a couple of days ago and will add the following as well:

Cached cookies and URL parameters.

If you're on a managed host like WP-Engine, you may need to contact their support team for additional assistance. We've had reports of issues accessing required cookies on the callback URL, as well as problems with checking authentication on the final page that users see after logging in. Specifically, ask to have cache exclusions added for:

Cookie: auth0_state
Cookie: auth0_nonce
Arg/URL parameter: auth0
Arg/URL parameter: code
Arg/URL parameter: state
Arg/URL parameter: id_token

[lakshmi-auth0]

We had to call WP-engine support people to turn off caching for our wordpress website. This was the only way we could solve this. Currently there is no way for wp engine website's admin to disable caching in wp-engine. The admin of a wordpress website can only view the cookies that are not cached and cant modify the list of cookies that are not cached.