Getting AuthStateMissing/social-auth/complete/{backend}/ error

[krishnanand]

I have read the discussions on this bug report omab/python-social-auth#534, but unfortunately, I could not figure how to resolve my issue. I have just started working on the project that uses social django, and I apologise if I have asked a stupid question.

I am getting the following error in our production logs

EXCEPTION(most recent call first)
AuthStateMissing: Session value state missing.
  File "django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "newrelic/hooks/framework_django.py", line 499, in wrapper
    return wrapped(*args, **kwargs)
  File "django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "social_core/actions.py", line 41, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "social_core/utils.py", line 252, in wrapper
    return func(*args, **kwargs)
  File "social_core/backends/oauth.py", line 388, in auth_complete
    state = self.validate_state()
  File "social_core/backends/oauth.py", line 90, in validate_state
    raise AuthStateMissing(self, 'state')

In our production, we have written our custom OAuth2 implementation a custom backend which does a 302 redirect to the redirect uri, which is deployed on a different host than our OAuth2 backend.

{
    logMessage:  "Removing session from scope."     
    severity:  "DEBUG"     
    sourceLocation: {
     file:  "/base/data/home/apps/s~myproject-hrd/master-5-22-2.409769015905238004/sql/sessions.py"      
     functionName:  "managed_session"      
     line:  "89"      
    }
    time:  "2018-05-18T15:25:35.060309Z"     
   }
  ]
  megaCycles:  "116"   
  method:  "GET"   
  requestId:  "5afef06e00ff0eb200ff5fa38dcb0001737e6f7074696d697a656c792d68726400016d61737465722d352d32322d32000100"   
  resource:  "/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&state=8wMwIRZBpIFyxID3bZQr8Hr53xsfdJWt&scopes=all"   
  responseSize:  "374"   
  startTime:  "2018-05-18T15:25:34.963072Z"   
  status:  302   
  traceId:  "674fbe9ae6e31083640017c40f339010"   
  urlMapEntry:  "main.app"   
  userAgent:  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"   
  versionId:  "master-5-22-2"   
 }

Our pipelines

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'social_core.pipeline.mail.mail_validation',
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
   . . . .  other pipelines . . . 
)

These are all the logs that I have. I don't know what I could be doing wrong for this to be raised. Any suggestions would be gratefully appreciated.

[lubo]

I believe I suffer from the same problem:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py", line 35, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 128, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py", line 126, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.6/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_django/utils.py", line 49, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_django/views.py", line 33, in complete
    *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_core/actions.py", line 41, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_core/utils.py", line 252, in wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/social_core/backends/oauth.py", line 388, in auth_complete
    state = self.validate_state()
  File "/usr/local/lib/python3.6/site-packages/social_core/backends/oauth.py", line 88, in validate_state
    raise AuthMissingParameter(self, 'state')
social_core.exceptions.AuthMissingParameter: Missing needed parameter state

I'm using Google OAuth2 backend and my pipeline is:

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.social_auth.associate_by_email',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
)

[andreyyudin]

I am experiencing the same issue. It happens when Googlebot tries to access /complete/google-oauth2/ url directly.

Edit: One possible solution is to detect the missing query string in, for example, Apache config. Something like:
RewriteCond %{REQUEST_URI} ^yoursite/complete/(.+)/$
RewriteCond %{QUERY_STRING} !(^|&)state=
RewriteRule (.*) /failpage [R=403,L]

would make sure that the page is not being accessed without the state specified.

[zain]

Another thing to try if you are seeing the AuthStateMissing error:
in settings.py, add SESSION_COOKIE_SAMESITE = None.

In my case, I only saw the error on Safari upon the redirect in the last leg of Oauth. The weirdest part was that I could refresh the page and the error would go away.

Upon further digging, I realized Safari wasn't sending any cookies on the redirect, but would send cookies when I hit refresh (so the cookies were set correctly, just not being sent). I found the SESSION_COOKIE_SAMESITE setting which, by default, will strip your cookies on that redirect, and thus Django cannot find your session.

[Sktbanerjee1]

HI everyone, I am new to this and I am facing the same issue. any help will be appreciated. Thanks.

[krnsingh09]

I was also facing the same issue. But changing SESSION_COOKIE_SAMESITE from 'strict' to None solved the same for me.
Actually making the SESSION_COOKIE_SAMESITE to strict will make the cookie differentiate to single site for that cookie and the error comes. So making SESSION_COOKIE_SAMESITE to None won't have any problem in switching from different sites

Hence, check this in your settings,py if this can solve your problem

[afwilkin]

I was able to solve the issue by running an "Empty Cache and Hard Reload" in Google Chrome (https://www.thewindowsclub.com/empty-cache-hard-reload-chrome)

[mfldavidson]

Another thing to try if you are seeing the AuthStateMissing error:
in settings.py, add SESSION_COOKIE_SAMESITE = None.

In my case, I only saw the error on Safari upon the redirect in the last leg of Oauth. The weirdest part was that I could refresh the page and the error would go away.

Upon further digging, I realized Safari wasn't sending any cookies on the redirect, but would send cookies when I hit refresh (so the cookies were set correctly, just not being sent). I found the SESSION_COOKIE_SAMESITE setting which, by default, will strip your cookies on that redirect, and thus Django cannot find your session.

This fixed the issue for me as well, thank you!

[captainaustralia]

As far as I understand, for many, the problem will also be that the state parameter cannot be passed via http. To do this, it will wait for the transition to https, otherwise it will not include the state parameter. When I connect SSL, I will be able to tell about it for sure.

[PetrDlouhy]

After setting SESSION_COOKIE_SAMESITE = None the number of AuthStateMissing did reduce significantly fixing the error on Safari.
Although I am still seeing several such errors a day (~7 errors out of ~2000 requests). So I am wondering if there might be any other error.

[karina-klinkeviciute]

I am doing authentication from flutter, not from browser. For now I'm testing with swagger. I added the SESSION_COOKIE_SAMESITE = None as recommended above but am still getting the same error.

[karina-klinkeviciute]

I'm connecting from swagger (later the connection will be from flutter) and even after setting SESSION_COOKIE_SAMESITE = None it still doesn't work, I get the same error.

[khrisvandal]

Does anyone resolved this Issue? Its happening with apple sign in.

[gmverdon]

For Apple Sign-in, setting SESSION_COOKIE_SAMESITE = None does not fix the issue.

[MatsErdkamp]

This also happens for me on occasional logins. Happens with Spotify auth and (mostly) Safari clients.

[taobojlen]

FWIW, we were seeing this happen occassionally. In our case, the problem was that we had a pod running with an invalid Django SECRET_KEY, so requests to this pod would fail to validate the Django session. This was reflected in our logs as AuthStateMissing even though the real problem was unrelated to python-social-auth.

[PetrDlouhy]

@taobojlen Could there be a problem, that python-social-auth is catching unrelated errors and throwing them as AuthStateMissing.
If that is true, I thing it should be considered a bug in python-social-auth, because hidden bugs are never good.

[taobojlen]

@PetrDlouhy I wouldn't say so. From the perspective of python-social-auth, it is indeed true that the auth state is missing! The deeper problem, you might argue, is that Django does not raise an exception if it cannot validate a session -- instead, it just returns a string like "Session invalid" or something.