K
Kinde7d ago
Cogal

Kinde OAuth "State not found" - Cookie present but state not decrypted

Hey! I'm facing an issue with Kinde OAuth authentication on my Nuxt 3 app in production (HTTPS + Nginx reverse proxy). When I'm working locally, everything works fine, but when I launch it in production on an Ubuntu server with Docker, I can't connect. This issue varies depending on the computer. I tested it on a Mac with Safari, and it works. I tested it on my Windows machine, and I get the error. I don't get it on my phone, and some other people don't get it on Windows either. I don't understand it at all. The project was working fine; I didn't change anything, but suddenly the cookies became inaccessible on some devices. I'm providing the error message, and if anyone has any ideas, I'd appreciate it.
No description
4 Replies
Cogal
CogalOP7d ago
Console Docker :[Kinde Callback] Valid parameters received, forwarding to Kinde module… [11:38:50.880] – State received: e6881ad968ae8f51cea59167ee51 [11:38:50.880] – Code received: 6zlUaJEAyFa-j0iKxol1NB1UNo539d… [11:38:50.880] – Kinde cookie present: false 🚨 [Error Handler] Captured error: 
{
  "message": "Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found",
  "statusCode": 500,
  "url": "/api/callback?code=6zlUaJEAyFa-j0iKxol1NB1UNo539dgn8WOJIGMdZGs.eE5w01m554D7gKNDLmBbGFO_UijsucjuVyzpL2-4rWI&scope=openid%20profile%20email%20offline&state=e6881ad968ae8f51cea59167ee51",
  "method": "GET"
}
{
  "message": "Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found",
  "statusCode": 500,
  "url": "/api/callback?code=6zlUaJEAyFa-j0iKxol1NB1UNo539dgn8WOJIGMdZGs.eE5w01m554D7gKNDLmBbGFO_UijsucjuVyzpL2-4rWI&scope=openid%20profile%20email%20offline&state=e6881ad968ae8f51cea59167ee51",
  "method": "GET"
}
🔐 [OAuth] Error during Kinde callback: 
{
  "error": "Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found",
  "statusCode": 500,
  "url": "/api/callback?code=6zlUaJEAyFa-j0iKxol1NB1UNo539dgn8WOJIGMdZGs.eE5w01m554D7gKNDLmBbGFO_UijsucjuVyzpL2-4rWI&scope=openid%20profile%20email%20offline&state=e6881ad968ae8f51cea59167ee51",
  "stack": "Error: Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found\n    at AuthorizationCode.<anonymous> (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:212:35)\n    at step (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:58:23)\n    at Object.next (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:39:53)\n    at fulfilled (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:30:58)"
}
{
  "error": "Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found",
  "statusCode": 500,
  "url": "/api/callback?code=6zlUaJEAyFa-j0iKxol1NB1UNo539dgn8WOJIGMdZGs.eE5w01m554D7gKNDLmBbGFO_UijsucjuVyzpL2-4rWI&scope=openid%20profile%20email%20offline&state=e6881ad968ae8f51cea59167ee51",
  "stack": "Error: Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found\n    at AuthorizationCode.<anonymous> (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:212:35)\n    at step (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:58:23)\n    at Object.next (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:39:53)\n    at fulfilled (file:///app/.output/server/node_modules/@kinde-oss/kinde-typescript-sdk/dist/sdk/oauth2-flows/AuthorizationCode.js:30:58)"
}
[request error] [unhandled] [GET] https://bloom-beauty-nails.fr/api/callback?code=…&state=e6881ad968ae8f51cea59167ee51 
H3Error: Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found
    at AuthorizationCode.<anonymous> (...)
    ... 2 lines matching cause stack trace ...
    at fulfilled (...)
{
  cause: Error: Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found
      at AuthorizationCode.<anonymous> (...)
      at step (...)
      at Object.next (...)
      at fulfilled (...),
  statusCode: 500,
  fatal: false,
  unhandled: true
}
H3Error: Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found
    at AuthorizationCode.<anonymous> (...)
    ... 2 lines matching cause stack trace ...
    at fulfilled (...)
{
  cause: Error: Authentication flow: Received: e6881ad968ae8f51cea59167ee51 | Expected: State not found
      at AuthorizationCode.<anonymous> (...)
      at step (...)
      at Object.next (...)
      at fulfilled (...),
  statusCode: 500,
  fatal: false,
  unhandled: true
}
[Kinde Error] 500 error detected on callback, likely due to a session/state issue with : "@nuxtjs/kinde": "^0.1.11", nuxt.config.ts : 
export default defineNuxtConfig({
    compatibilityDate: '2024-11-01',
    devtools: { enabled: false },

    modules: [
        "@nuxtjs/kinde",
        "@nuxt/icon",
        "@pinia/nuxt",
        "@nuxt/image"
    ],

    // ✅ Configuration Kinde avec cookies sécurisés pour OAuth

    runtimeConfig: {
        public: {
            baseUrl: process.env.NODE_ENV === 'production'
                ? "https://bloom-beauty-nails.fr"
                : "http://localhost:3000",
            stripePublicKey: process.env.STRIPE_PUBLIC_KEY
        },
    },

    plugins: [
        { src: '~/plugins/bootstrap.js', mode: 'client' },
        { src: '~/plugins/init-auth.client.ts', mode: 'client' },
        '~/plugins/vitrine.client.ts',
        '~/plugins/error-handler.client.ts'
    ],

    ssr: true,

    experimental: {
        payloadExtraction: false
    },

    nitro: {
        preset: 'node-server',
        externals: {
            external: ['twilio'],
            inline: []
        },
        errorHandler: '~/server/error-handler.ts',
        experimental: {
            openAPI: true
        }
    },

    app: {
        head: {
            charset: 'utf-8',
            viewport: 'width=device-width, initial-scale=1'
        }
    },

    vite: {
        optimizeDeps: {
            exclude: ['nodemailer']
        }
    }
})
export default defineNuxtConfig({
    compatibilityDate: '2024-11-01',
    devtools: { enabled: false },

    modules: [
        "@nuxtjs/kinde",
        "@nuxt/icon",
        "@pinia/nuxt",
        "@nuxt/image"
    ],

    // ✅ Configuration Kinde avec cookies sécurisés pour OAuth

    runtimeConfig: {
        public: {
            baseUrl: process.env.NODE_ENV === 'production'
                ? "https://bloom-beauty-nails.fr"
                : "http://localhost:3000",
            stripePublicKey: process.env.STRIPE_PUBLIC_KEY
        },
    },

    plugins: [
        { src: '~/plugins/bootstrap.js', mode: 'client' },
        { src: '~/plugins/init-auth.client.ts', mode: 'client' },
        '~/plugins/vitrine.client.ts',
        '~/plugins/error-handler.client.ts'
    ],

    ssr: true,

    experimental: {
        payloadExtraction: false
    },

    nitro: {
        preset: 'node-server',
        externals: {
            external: ['twilio'],
            inline: []
        },
        errorHandler: '~/server/error-handler.ts',
        experimental: {
            openAPI: true
        }
    },

    app: {
        head: {
            charset: 'utf-8',
            viewport: 'width=device-width, initial-scale=1'
        }
    },

    vite: {
        optimizeDeps: {
            exclude: ['nodemailer']
        }
    }
})
Cogal
CogalOP7d ago
No description
Koosha-Kinde
Koosha-Kinde6d ago
Hey, thanks for reaching out and the details From what I can see, the 500 error is coming from your Nuxt /api/callback route (the Kinde Nuxt module), not directly from Kinde. Kinde sends back the code and state, but the callback handler on your server fails. Because it only happens on some devices (Safari OK, some Windows browsers not, phone OK), this is usually: - old / broken cookies on those devices, or - a change in your Kinde env vars (especially the session secret) so old cookies can’t be read anymore. Could you try these steps: 1. Clear cookies on a device that fails - In the browser, clear all cookies for your domain. - Refresh and try logging in again. If this fixes it, the problem was a stale session cookie. 2. Check your Kinde env vars in production make sure these are set and use https and your real domain: - NUXT_KINDE_AUTH_DOMAIN=https://<your-subdomain>.kinde.com - NUXT_KINDE_CLIENT_ID - NUXT_KINDE_CLIENT_SECRET - NUXT_KINDE_REDIRECT_URL=https://yourdomain.com/api/callback - NUXT_KINDE_LOGOUT_REDIRECT_URL=https://yourdomain.com - NUXT_KINDE_POST_LOGIN_REDIRECT_URL=https://yourdomain.com/<after-login> - NUXT_KINDE_PASSWORD=<long random string> Important: NUXT_KINDE_PASSWORD must stay the same across deploys, otherwise existing cookies can’t be decrypted. 3. Check server logs When you try to log in and see the 500, check your server / Docker logs for the error from /api/callback --- Let me know if this helps, Thanks
Cogal
CogalOP5d ago
Thank you for your reply. So, I checked my .env file, and I think everything is fine. I cleared my cache, but it still doesn't work; I'm still getting the same error. I'll show you my logs; does that give you any ideas? 
NUXT_KINDE_AUTH_DOMAIN=https://bloombeautynails.kinde.com
NUXT_KINDE_REDIRECT_URL=https://bloom-beauty-nails.fr/api/callback
NUXT_KINDE_LOGOUT_REDIRECT_URL=https://bloom-beauty-nails.fr
NUXT_KINDE_POST_LOGIN_REDIRECT_URL=https://bloom-beauty-nails.fr/dashboard
NUXT_KINDE_PASSWORD=************
NUXT_KINDE_CLIENT_ID=************
NUXT_KINDE_CLIENT_SECRET=************

NUXT_PUBLIC_SITE_URL=https://bloom-beauty-nails.fr
DEBUG=kinde:*

BASE_URL=https://bloom-beauty-nails.fr
REMINDER_MINUTES=1440 #24h before

# Connect to Supabase via connection pooling.
DATABASE_URL=************

# Direct connection to the database. Used for migrations.
DIRECT_URL=************
SUPABASE_URL=************
SUPABASE_SERVICE_ROLE_KEY=************


APP_BASE_URL=https://bloom-beauty-nails.fr
CRON_SECRET=************
STRIPE_SECRET_KEY=************
STRIPE_PUBLIC_KEY=************

SLOT_STEP_MIN=5
NUXT_KINDE_AUTH_DOMAIN=https://bloombeautynails.kinde.com
NUXT_KINDE_REDIRECT_URL=https://bloom-beauty-nails.fr/api/callback
NUXT_KINDE_LOGOUT_REDIRECT_URL=https://bloom-beauty-nails.fr
NUXT_KINDE_POST_LOGIN_REDIRECT_URL=https://bloom-beauty-nails.fr/dashboard
NUXT_KINDE_PASSWORD=************
NUXT_KINDE_CLIENT_ID=************
NUXT_KINDE_CLIENT_SECRET=************

NUXT_PUBLIC_SITE_URL=https://bloom-beauty-nails.fr
DEBUG=kinde:*

BASE_URL=https://bloom-beauty-nails.fr
REMINDER_MINUTES=1440 #24h before

# Connect to Supabase via connection pooling.
DATABASE_URL=************

# Direct connection to the database. Used for migrations.
DIRECT_URL=************
SUPABASE_URL=************
SUPABASE_SERVICE_ROLE_KEY=************


APP_BASE_URL=https://bloom-beauty-nails.fr
CRON_SECRET=************
STRIPE_SECRET_KEY=************
STRIPE_PUBLIC_KEY=************

SLOT_STEP_MIN=5

docker_logs.txt

Did you find this page helpful?