OAuth - State parameter not working

Question

OAuth - State parameter not working

C4T4 opened this issue 2 months ago · comments

I'm trying to pass a test string in the state parameter via google login. the state parameter and the value get passed to google and redirected to supabase but supabase throw an error at this point:

https://xxxx.supabase.co/auth/v1/callback?state=test&code=xxxA&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=none

{"code":400,"error_code":"bad_oauth_state","msg":"OAuth callback with invalid state"}

// I use supabase from @supabase/ssr
import { Auth } from '@supabase/auth-ui-react';

      <Auth
        view={props.view || 'sign_in'}
        supabaseClient={supabase}
        providers={['google']}
        queryParams={{

          state: 'test'
        }}
        redirectTo={`${getURL()}/auth/callback`}
        magicLink={true} />

Google Login/Prompt URL

https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?client_id=xxxx.apps.googleusercontent.com&redirect_uri=https://xxxx.supabase.co/auth/v1/callback&response_type=code&scope=email profile&state=test&service=lso&o2v=2&theme=mn&ddm=0&flowName=GeneralOAuthFlow

Kang Ming · Answer 1 · Thu May 09 2024 18:32:47 GMT+0800 (China Standard Time)

Hey @C4T4, you can't pass a state query parameter because Supabase Auth uses it to store auth-specific state which it reads on the callback.