@julian So my site receives "https$mysite$site$com/auth/auth0/callback?code=letternumberjumble&state=letternumbersymboljumble" and responds with a 500.

while their site gets "https$forum$antergos$com/auth/auth0/callback?code=letternumberjumble"

$ being replaced with the obvious things because the spam defense doesn't let me post things that seem like links yet.

If I remove the state I can at least get some better feedback from the backend, though it complains the callback code is wrong (probably because it needs to happen in that first response directly, at least I assume it shouldn't work if merely resent/spoofed later).

2018-05-01T15:30:53.594Z [26584] - error: /auth/auth0/callback
TokenError: Invalid authorization code
at Strategy.OAuth2Strategy.parseErrorResponse (/data/node_BB/nodebb/node_modules/passport-oauth2/lib/strategy.js:329:12)
at Strategy.OAuth2Strategy._createOAuthError (/data/node_BB/nodebb/node_modules/passport-oauth2/lib/strategy.js:376:16)
at /data/node_BB/nodebb/node_modules/passport-oauth2/lib/strategy.js:166:45
at /data/node_BB/nodebb/node_modules/oauth/lib/oauth2.js:191:18
at passBackControl (/data/node_BB/nodebb/node_modules/oauth/lib/oauth2.js:132:9)
at IncomingMessage.<anonymous> (/data/node_BB/nodebb/node_modules/oauth/lib/oauth2.js:157:7)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickCallback (internal/process/next_tick.js:180:9)

Don't spend time on it for now, I'll see if I can use a rule on the auth0 site to not send back the state and I'll report back if that works or not.

Community

Khalid Kunji