"Unable to verify authorization request state." Error

[podplatnikm]

Hello guys,

I am currently implementing Passport Twitter Auth in Nestjs using this library but I came across an error I can not solve:
"Unable to verify authorization request state." I have read comments about this issue online but none of them work for me.
I am using this on the localhost:3000

my express-session config:

  app.use(
    session({
      store: redisStore,
      secret: 'my-secret',
      resave: false,
      saveUninitialized: true,
      cookie: { secure: false, sameSite: false },
      // cookie: { secure: false, sameSite: "lax" },
    }),
  );

any idea what could go wrong here?

[jnv]

Hi @podplatnikm, thank you for your report. I suspect, same as you, that this is due to missing state to finish the authorization flow. Could you please add more information about:

• Package versions (esp. for Passport and session middleware)
• Code where you initialize the strategy and Passport middleware

Could you please also check whether the basic example server works for you?

[jnv]

Hey @podplatnikm, how is it going? Did you manage to resolve the problem?

[MuizNadeem]

This error is caused when passport-oauth2 library doesn't find the state in session.
https://github.com/jaredhanson/passport-oauth2/blob/master/lib/state/pkcesession.js#L67-L74

Passing state as string doesn't add it to the session, and you end up with this error. Pass state as object instead.

app.get(
  '/auth/twitter/callback',
  passport.authenticate('twitter', {
    failureRedirect: '/error?login'
  }),
  (req, res, next) => {
    const state = (req as any)?.session?.['oauth:twitter']?.state?.state;
    console.log('The state is:', state);
    next();
  }
);

[arunlz]

@jnv I'm following the exact example but still getting Unable to verify authorization request state
I have created a stack overflow thread.
https://stackoverflow.com/questions/77443454/getting-unable-to-verify-authorization-request-state-while-using-superfaceai-p

[jnv]

@arunlz It'd be helpful to check the response from the API, but I suspect requested scopes could be at play as well. Say, do you have a free or paid developer account?

[arunlz]

@jnv Thanks for replying, I found the issue, it's bcz of client cred are not for assigned with 2.0 data but I always got Unable to verify authorization request If the app can show the exact issue that would be much appreciated. Also, I'm looking for the scope to fetch email data of the user. Can u help me with that?

[jnv]

Well, since the token retrieval is handled by the underlying Passport strategy, I'm not sure if we can get access to the raw response, but I recommend looking there, as suggested previously in #39 (comment). I don't exactly understand your reply, but it's indeed possible you're passing wrong client secret or something similar. I wrote this tutorial on obtaining the right credentials, but I can't guarantee it's still relevant given the API changes.

Anyway, to my knowledge it's not possible to retrieve user's email with OAuth 2.0 (which is the sole focus of this package). If you primarily need to obtain the email of authorized user, I recommend using OAuth 1.0 authorization, which is handled by passport-twitter strategy.

[domilin]

I encountered the same problem, and finally found that the reason was that the request twitter token interface was not working. The reason was that I had hung up the VPN, but the VPN was not global, so the NodeJS could not access the twitter interface, and this problem occurred. Finally, I hooked up to the global VPN, perfect pass. This is my case. I hope it helps

[dmshvetsov]

allow me to explain what @MuizNadeem meant

you need to pass state object, not a string, read why at the end

app.get(
  '/auth/twitter/callback',
  passport.authenticate('twitter', {
    state: { someKey: 'someValue' }, // IMPORTANT, must be an object not a string, despite type error from `@types/passport-oauth2@1.4.17` read my explanation below 
  })
);

this happens because of this if check from passport-oauth2 see in the repo https://github.com/jaredhanson/passport-oauth2/blob/v1.8.0/lib/strategy.js#L255-L302

this piece of code is intended to hadle "state" which is either nonce or an object that must be provided to authenticate or authorize passport-js methods

by default state is a uuid (nonce) which is string and because of that if will use "state" string value only in request params to Twitter API and won't stored in the session. When "state" is an object then else branch executed and "state" adds to the req.session and you can access it later in the GET twitter callback request handler.

[MuizNadeem]

Thanks for explaining @dmshvetsov. You are right, the state must be passed as object and not plain string, but I believe the more common use case would be to pass state in the authenticate flow and retrieve it in the callback flow. Unfortunately, I do not use raw express js with passport, so its hard to share a working example here but I can summarise both our comments with code snippet below.

app.get(
  '/auth/twitter',
  passport.authenticate('twitter', {
    scope: ['tweet.read', 'users.read', 'offline.access'],
    state: { someKey: 'someValue' }
  })
);

app.get(
  '/auth/twitter/callback',
  passport.authenticate('twitter', {
    failureRedirect: '/error?login'
  }),
  (req, res, next) => {
    const state = req.session.req.authInfo.state;
    console.log('The state is:', state); // The state is: { someKey: 'someValue' }
    next();
  }
);

I have added a working example in this PR

[vshtishi]

@MuizNadeem, can you please provide some guidance, I am facing the same issue even though I am not passing state at all and am trying a very basic integration with Koa as follows:

`router.get("/auth/twitter", (ctx, next) => {
return passport.authenticate(provider, {
scope: ['tweet.read', 'users.read', 'offline.access'],
})(ctx, next);
});

router.get("/auth/twitter/callback", async (ctx, next) => {
await passport.authenticate(provider, function (err, user, info) {
if (err) {
console.log(JSON.stringify(err, null, 2));
ctx.status = 500;
ctx.body = { error: "Internal Server Error" };
return;
}

if (!user) {
  ctx.status = 401;
  ctx.body = { error: "Authentication failed" };
  return;
}

ctx.body = {
  access_token: user.accessToken,
  refresh_token: user.refreshToken,
  profile: user.profile,
};
ctx.status = 200;

})(ctx, next);
});`

[MuizNadeem]

@vshtishi Have you initialised the session correctly? Here is an example for reference:
https://github.com/superfaceai/passport-twitter-oauth2/blob/main/examples/state-usage/server.js#L34

You might want to also check the documentation for the session library you are using in koa.

[vshtishi]

@MuizNadeem I am using koa-session. This is how I am initializing it:

app.keys = [process.env.SESSION_SECRET || "default-secret"];
app.use(
session(
{
secure: false,
httpOnly: false,
},
app,
),
);

initializePassport();

app.use(passport.initialize());
app.use(passport.session());

[vshtishi]

@MuizNadeem My callback URL points to a frontend endpoint which then makes the call to the auth/twitter/callback endpoint with state and code query params. The session cookie value matches the state that is passed to the backend callback. I am in a local dockerized environment