weixin_39636857
weixin_39636857
2020-11-27 19:03

Getting an infrequent msal.error "Invalid_state" when authenticating

Library

  • [X] msal.x.x or /msal.x.x
  • [ ] /msal-browser.x.x
  • [ ] /msal-angular.x.x
  • [X] /msal-angular.x.x
  • [ ] /msal-angularjs.x.x

Description

This ticket is a continuation of #1734, as I let it expire as too many other issues popped up elsewhere :(

Since that ticket, we've upgraded to msal.3.4 and /msal-angular.0.0 But the issue we had in #1734 is still reproducible intermittently in Chrome and about 90% of the time when in a private browser in Firefox.

I've included logging from the MSAL library:


Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose LoginRedirect has been called 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose AcquireTokenInteractive has been called 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Account set from MSAL Cache 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose ExtractADALIdToken has been called 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Login call but no token found, proceed to login 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose AcquireTokenHelper has been called 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Interaction type: redirectInteraction. isLoginCall: true 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose-pii Serialized scopes: f5e78cbd-12a7-4d18-94db-bf14ffe0cc5d 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose No cached metadata for authority 
Thu, 20 Aug 2020 12:07:04 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Telemetry Event started: a67e1715-7dc9-45c1-8a79-5c0e12007cab_4b5e6160-98e7-474f-ba2e-672e48974e56-msal.http_event 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Telemetry Event stopped: a67e1715-7dc9-45c1-8a79-5c0e12007cab_4b5e6160-98e7-474f-ba2e-672e48974e56-msal.http_event 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Finished building server authentication request 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Updating cache entries 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Query parameters populated from account 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Interaction type redirect but login call is true. State not cached 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Verbose Navigating window to urlNavigate 
Thu, 20 Aug 2020 12:07:05 GMT:6a9d9813-07a3-4ead-bfa8-57687862d968-1.3.4-Info-pii Navigate to:https://login.microsoftonline.com/te/adacapromeb2custest.onmicrosoft.com/b2c_1a_signup_signin_adacap-pr1313/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&redirect_uri=https%3A%2F%2Fpr1313-aaa-front.azurewebsites.net%2Flogin&state=eyJpZCI6ImM4ZTVlMGZjLWI0ZGMtNDAzMS04ZGYyLWRjZjNlZTBlNjU5MSIsInRzIjoxNTk3OTI1MjI1LCJtZXRob2QiOiJyZWRpcmVjdEludGVyYWN0aW9uIn0%3D&nonce=b917e873-e450-4c03-a68a-1f76374c466c&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.4&client-request-id=a67e1715-7dc9-45c1-8a79-5c0e12007cab&response_mode=fragment 
Navigated to https://login.microsoftonline.com/te/adacapromeb2custest.onmicrosoft.com/b2c_1a_signup_signin_adacap-pr1313/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile&client_id=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&redirect_uri=https%3A%2F%2Fpr1313-aaa-front.azurewebsites.net%2Flogin&state=eyJpZCI6ImM4ZTVlMGZjLWI0ZGMtNDAzMS04ZGYyLWRjZjNlZTBlNjU5MSIsInRzIjoxNTk3OTI1MjI1LCJtZXRob2QiOiJyZWRpcmVjdEludGVyYWN0aW9uIn0%3D&nonce=b917e873-e450-4c03-a68a-1f76374c466c&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.3.4&client-request-id=a67e1715-7dc9-45c1-8a79-5c0e12007cab&response_mode=fragment

Navigated to https://login.microsoftonline.com/MY_TENANT.onmicrosoft.com/B2C_1A_signup_signin_adacap-pr1313/api/CombinedSigninAndSignup/confirmed?csrf_token=RWVWWDRNQzg0Q3h3SE5PV3Q5VkhROTVaaG0zVEs0dHBWV3c4ZEZSTU0yS3JxRHRoNW5CcTJjUDNwWEc2Z1BTc0tabmZBd3F6c09HRFN3QVhlTkphSmc9PTsyMDIwLTA4LTIwVDEyOjA3OjA1LjM5MTc0NTJaO3lyWXFMTEFES2NzSi9Zd2cyemY1dEE9PTt7Ik9yY2hlc3RyYXRpb25TdGVwIjoxfQ==&tx=StateProperties=eyJUSUQiOiI1OTVhZGZmMS1iODVjLTQwODAtYWVlNS1hNjc5ZGRiMGJjNWYifQ&p=B2C_1A_signup_signin_adacap-pr1313&diags=%7B%22pageViewId%22%3A%2270e1a26a-4e20-46a1-8780-7a4366596830%22%2C%22pageId%22%3A%22CombinedSigninAndSignup%22%2C%22trace%22%3A%5B%7B%22ac%22%3A%22T005%22%2C%22acST%22%3A1597925225%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T021%20-%20URL%3Ahttps%3A%2F%2Fpr1313aaasa.blob.core.windows.net%2Fpr1313-romeb2cui%2Fsignup-or-signin.html%22%2C%22acST%22%3A1597925225%2C%22acD%22%3A88%7D%2C%7B%22ac%22%3A%22T029%22%2C%22acST%22%3A1597925225%2C%22acD%22%3A6%7D%2C%7B%22ac%22%3A%22T004%22%2C%22acST%22%3A1597925225%2C%22acD%22%3A2%7D%2C%7B%22ac%22%3A%22T019%22%2C%22acST%22%3A1597925225%2C%22acD%22%3A14%7D%2C%7B%22ac%22%3A%22T003%22%2C%22acST%22%3A1597925225%2C%22acD%22%3A4%7D%2C%7B%22ac%22%3A%22T002%22%2C%22acST%22%3A0%2C%22acD%22%3A0%7D%5D%7D
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose GetResponseState has been called 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Hash contains state. Creating stateInfo object 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose State does not match cached state, setting requestType to type from window 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Matching state not found for request 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Info Returned from redirect url 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose HandleRedirectAuthenticationResponse has been called 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Window.location.hash cleared 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose GetResponseState has been called 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Hash contains state. Creating stateInfo object 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose State does not match cached state, setting requestType to type from window 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Matching state not found for request 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Default navigation to start page after login turned off 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Info ProcessCallBack has been called. Processing callback from redirect response 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose SaveTokenFromHash has been called 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Info State status: false; Request type: undefined 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Server returns success 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose State mismatch 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Error State Mismatch. Expected State: null, Actual State: eyJpZCI6ImM4ZTVlMGZjLWI0ZGMtNDAzMS04ZGYyLWRjZjNlZTBlNjU5MSIsInRzIjoxNTk3OTI1MjI1LCJtZXRob2QiOiJyZWRpcmVjdEludGVyYWN0aW9uIn0= 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Status set to complete, temporary cache cleared 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Response is null, setting redirectResponse with state 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose AuthErrorHandler has been called 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose Interaction type is redirect 
Thu, 20 Aug 2020 12:08:00 GMT:2e049362-ac52-4f82-9fa5-d9356b100d34-1.3.4-Verbose One callback was provided to handleRedirectCallback, calling authResponseCallback with error 
Redirect Error:  Invalid state. eyJpZCI6ImM4ZTVlMGZjLWI0ZGMtNDAzMS04ZGYyLWRjZjNlZTBlNjU5MSIsInRzIjoxNTk3OTI1MjI1LCJtZXRob2QiOiJyZWRpcmVjdEludGVyYWN0aW9uIn0=, state expected : null. 

In our Application MSAL is configured as follows:


export function msalConfigFactory(configService: AppConfigService): Configuration {
  const configuration: any = {
    auth: {
      clientId: "XXXXXXX-XXXX-XXXX-XXXXXXXXXXXX",
      authority: "https://login.microsoftonline.com/MY_TENANT.onmicrosoft.com/B2C_1A_signup_signin_adacap-pr1313",
      redirectUri: "https://pr1313-aaa-front.azurewebsites.net/login",
      postLogoutRedirectUri: "https://pr1313-aaa-front.azurewebsites.net/login",
      navigateToLoginRequestUrl: false,
      validateAuthority: false
    },
    cache: {
      cacheLocation: "localStorage",
      storeAuthStateInCookie: false,
    },
    system : {
      logger:  new Logger((logLevel, message, piiEnabled) => { console.log(message); }, {
       correlationId: CryptoUtils.createNewGuid(),
       level: LogLevel.Verbose,
       piiLoggingEnabled: true,
    });
    }
  };
  return (configuration as Configuration);
}

export function msalAngularConfigFactory(configService: AppConfigService): MsalAngularConfiguration {
  const msalAngularConfiguration = {
    consentScopes: [
            "user_impersonation",
            "https://MY_TENANT.onmicrosoft.com/api/user_impersonation"
        ],
    popUp: true,
    unprotectedResources: [
            "/assets/"
        ],
    protectedResourceMap: 
            [
                "https://pr1313-aaa-front.azurewebsites.net/",
                [
                    "XXXXXXX-XXXX-XXXX-XXXXXXXXXXXX"
                ]
            ]
        ],
  };
  return (msalAngularConfiguration as MsalAngularConfiguration);
}

What can cause the state to be mismatched? Do we need to clear cached state before attempting to login, and if so how could we do that?

该提问来源于开源项目:AzureAD/microsoft-authentication-library-for-js

  • 点赞
  • 回答
  • 收藏
  • 复制链接分享

6条回答