Laravel Socialite: InvalidStateException

Question

I\'m using Laravel Socialite to add a Facebook connect button on a website. Sometimes, I\'ve got this error on callback:

exception \'Laravel\\Socialite\\Two\         


        

Answer 1

I was only experiencing this error when logging in via mobile web with the facebook app instead of facebook in browser. The facebook app uses the facebook browser after login instead of your current browser, so is unaware of previous state.

try {
    $socialite = Socialite::driver($provider)->user();
} catch (InvalidStateException $e) {
    $socialite = Socialite::driver($provider)->stateless()->user();
}

Answer 2

October 2020

For me, I had

…\vendor\laravel\socialite\src\Two\AbstractProvider.php209

So I converted my code from

$user = Socialite::driver('facebook')->user();

to

$user = Socialite::driver('facebook')->stateless()->user();

I didn't have to run any cache clearing, I did delete the cookies though but I'm not sure you have to.

Answer 3

tl;dr

If you need to read a given parameter state returned by a thirdparty service, you can set Socialite to avoid this checking with the stateless method:

   Socialite::driver($provider)->stateless();

---

I think Socialite is already prepared to avoid this issue.

https://github.com/laravel/socialite/blob/2.0/src/Two/AbstractProvider.php#L77

 /**
 * Indicates if the session state should be utilized.
 *
 * @var bool
 */
protected $stateless = false;

https://github.com/laravel/socialite/blob/2.0/src/Two/AbstractProvider.php#L374

/**
 * Indicates that the provider should operate as stateless.
 *
 * @return $this
 */
public function stateless()
{
    $this->stateless = true;
    return $this;
}

https://github.com/laravel/socialite/blob/2.0/src/Two/AbstractProvider.php#L222

/**
 * Determine if the current request / session has a mismatching "state".
 *
 * @return bool
 */
protected function hasInvalidState()
{
    if ($this->isStateless()) {
        return false; // <--------
    }
    $state = $this->request->getSession()->pull('state');
    return ! (strlen($state) > 0 && $this->request->input('state') === $state);
}

---

For instance, state is very useful to pass data throught google:

Parameter: state (Any string)
Provides any state that might be useful to your application upon receipt of the response. The Google Authorization Server round-trips this parameter, so your application receives the same value it sent. Possible uses include redirecting the user to the correct resource in your site, and cross-site-request-forgery mitigations.

ref: https://developers.google.com/identity/protocols/OAuth2UserAgent#overview

Answer 4

This issue has nothing to do with a lot of the solutions above, is rather as simple as changing your callback URL from 'http://localhost:8000/callback/twitter to http://127.0.0.1:8000/callback/twitter in your config/services.php and on your twitter app set up on your twitter application.

the http://localhost in the URL is the issue, replace with http://127.0.0.1

Answer 5

I ran into this issue last night and solve it with the following solution.

More information on my issue, I've got

InvalidStateException in AbstractProvider.php line 182

in the function handleProviderCallback() when it re-direct back from Facebook login. It seems to be the same as your issue.

Furthermore I found my issue occurs when I open my site without www. When I open my site with www.mysite.com - no problem. At first I think my issue is random until I've got the clue by Chris Townsend's reply to the question - Thank you very much.

The Solution

1. Go to your www root, check the laravel file config/session.php
2. Check session Session Cookie Domain The default configuration is 'domain' => null, I made a change to 'domain' => 'mysite.com'.
3. After 'php artisan cache:clear' and 'composer dump-autoload', I can login with no issue from both www.mysite.com and mysite.com

Be sure to delete your cookies from browser when testing it after these modifications are done. Old cookies can still produce problems.

Answer 6

Laravel 6.16.0
php 7.4.2

I came across this exact issue. Turns out I recently changed same_site to strict and socialite was throwing InvalidStateException exception. Then I changed it to back to null and all worked fine.

/*
    |--------------------------------------------------------------------------
    | Same-Site Cookies
    |--------------------------------------------------------------------------
    |
    | This option determines how your cookies behave when cross-site requests
    | take place, and can be used to mitigate CSRF attacks. By default, we
    | do not enable this as other CSRF protection services are in place.
    |
    | Supported: "lax", "strict"
    |
    */

    'same_site' => null,