infiniflow
[Bug]: Okta login would return "invalid_state" while started multiple dev instances
Self Checks
- [x] I have searched for existing issues search for existing issues, including closed ones.
- [x] I confirm that I am using English to submit this report (Language Policy).
- [x] Non-english title submitions will be closed directly ( 非英文标题的提交将会被直接关闭 ) (Language Policy).
- [x] Please do not modify this template :) and fill in all the required fields.
RAGFlow workspace code commit ID
v0.19.0
RAGFlow image version
v0.19.0
Other environment information
Nginx ingress controller -> ragflow in k8s deployment
Actual behavior
While I try to login, it would return error "invalid_state" and sometimes the backend would see the error logs (not 100% for each time):
2025-06-15 18:54:12,446 WARNING 18 load_user got exception Signature b'lZ5WvNd2qbLE-aYKVspXFiM_2HE' does not match
2025-06-15 18:54:12,447 ERROR 18 401 Unauthorized: The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.
Traceback (most recent call last):
File "/ragflow/.venv/lib/python3.10/site-packages/flask/app.py", line 880, in full_dispatch_request
rv = self.dispatch_request()
File "/ragflow/.venv/lib/python3.10/site-packages/flask/app.py", line 865, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return]
File "/ragflow/.venv/lib/python3.10/site-packages/flask_login/utils.py", line 285, in decorated_view
return current_app.login_manager.unauthorized()
File "/ragflow/.venv/lib/python3.10/site-packages/flask_login/login_manager.py", line 178, in unauthorized
abort(401)
File "/ragflow/.venv/lib/python3.10/site-packages/flask/helpers.py", line 272, in abort
current_app.aborter(code, *args, **kwargs)
File "/ragflow/.venv/lib/python3.10/site-packages/werkzeug/exceptions.py", line 863, in __call__
raise self.mapping[code](*args, **kwargs)
werkzeug.exceptions.Unauthorized: 401 Unauthorized: The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required.
And when I scaled in ragflow instances from 2 -> 1, the issue resolved and I could login as normal.
Expected behavior
Could login even though we started multiple instances
Steps to reproduce
1. start multiple instances and ragflow integrated with okta sso;
2. try to login
Additional information
I've asked ChatGPT and it said this issue was caused by the state stored in a temp session per ragflow instance, see code .
This happens because RAGFlow stores OAuth state in the Flask session, which by default uses a local filesystem backend. In a multi-instance setup (like Kubernetes), each instance has its own session storage, so the OAuth state from the login request may not be available on the instance that handles the callback—leading to the "invalid_state" error you’re seeing. Scaling down to one instance avoids this because all requests hit the same session store.
To fix this, configure RAGFlow to use a shared session backend like Redis. In your Flask app config, set:
app.config["SESSION_TYPE"] = "redis"
app.config["SESSION_REDIS"] = redis.from_url("redis://<host>:<port>/<db>")
You’ll also need to ensure the Redis connection details match your environment (see the redis section in your service_conf.yaml). With this change, all instances will share session data, and Okta logins should work reliably across multiple pods. More details on the session handling and root cause are in the code and config here and here.
There’s no built-in RAGFlow documentation for this, but Flask-Session with Redis is a common solution for this class of problem. After updating your config, restart all pods and test login from multiple instances to confirm the fix.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
![dosubot[bot] avatar](https://avatars.githubusercontent.com/in/324583?v=4 "Published by a pub.dev verified publisher"){kind=small}
