How to debug Oauth: MismatchingStateError when using live URL, but works with localhost

[InkLabApp]

Good day, I am having some issues to getting Oauth to work when moving from "localhost" (for development) to a real domain name. The main differences between the environments are only the domain name itself, and the production site using Nginx instead of the development flask web server. I have tried to use both google Oauth as well as Gitlab Oauth. Both work using localhost and the flask debug server, but not on a production machine.

The full error is: authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.

This comes when calling oauth..authorize_access_token()

I am a little lost as to how to start debugging this issue. Clearly the majority of the implementation is correct, as the full workflow works when using localhost. I do receive a "code" and "state" query argument in the callback where the error takes place. Where can I verify the other "state" that is mismatching?

Please let me know what kind of logs or additional configuration details I can provide, that might be most helpful for this case.

Thanks for reading!

[jtroussard]

Sounds like you might want to start looking here:

requests-oauthlib/requests_oauthlib/oauth2_session.py

Line 154 in 46f886c

def authorization_url(self, url, state=None, **kwargs):

As I understand it, the state value is passed to the OAuthSession object constructor, OR it can be self generated when building the authorization url (see above link). Hope this helps.

Note: I'm not sure what the official etiquette is for this project, however when I am in doubt I always try to treat these kind of posts like a stackoverflow post and provide minimal reproducible example.