OAuth Proxy State Mismatch Issue with Localhost → Production Flow
@Better Auth
We're using
1. User clicks sign-in on
2. OAuth state is created and stored (cookie/database)
3. User redirected to OAuth provider with
4. OAuth provider redirects back to
5. Production should skip state cookie check (since it was initiated from localhost)
6. Production validates the code and proxies back to localhost with encrypted cookies
Steps 1-4 work correctly, but at step 5:
- Production receives the callback with
- Production tries to verify the state cookie, but the cookie is on localhost, not production
- Production returns
We're using
better-authoAuthProxyExpected Flow
1. User clicks sign-in on
localhost:30002. OAuth state is created and stored (cookie/database)
3. User redirected to OAuth provider with
redirect_uri=https://production.example.com/api/auth/callback/cognito&state=xyz4. OAuth provider redirects back to
https://production.example.com/api/auth/callback/cognito?code=...&state=xyz5. Production should skip state cookie check (since it was initiated from localhost)
6. Production validates the code and proxies back to localhost with encrypted cookies
Actual Behavior
Steps 1-4 work correctly, but at step 5:
- Production receives the callback with
state=<state-value>- Production tries to verify the state cookie, but the cookie is on localhost, not production
- Production returns
state_mismatch
