'checks.state argument is missing' error when click back button after authentication with keycloak

[jalbissimo]

Description 🐜

Hello there!

I`m having an issue with next-auth. After successfully sign in into the application using the keycloack provider, clicking the back button in the browser window leads to :

error: {
    message: 'checks.state argument is missing',
    stack: 'TypeError: checks.state argument is missing\n' +...//stack trace
     name: 'TypeError'
  },
  providerId: 'sso_provider_1',
  message: 'checks.state argument is missing'
}

My configuration for the keycloack provider looks something like this

export default NextAuth({
  providers: [
    KeycloakProvider({
      id: 'sso_provider_1',
      clientId: process.env.AP_CLIENT_ID,
      clientSecret: process.env.AP_CLIENT_SECRET,
      issuer: process.env.AP_BASE_URL
    })
  ],
  secret: process.env.SECRET,
  debug: true
}); 

Is there anything else I should configure in order to make my application work with the keycloack provider or it is just a bug ?

Is this a bug in your own project?

Yes

How to reproduce ☕️

Clicking back button after sign in with Keycloack will display this page and the error mentioned above.

Screenshots / Logs 📽

No response

Environment 🖥

next.js

Contributing 🙌🏽

Yes, I am willing to help solve this bug in a PR

[mpetricek]

I'm getting same error with Google provider and version 4.0.0-beta.7. With beta.6 it's working fine (appart from other issues of that version).

[balazsorban44]

I believe we don't currently handle login cancelation https://github.com/nextauthjs/next-auth/pull/1820

[ckruppe]

We are haveing the same issue with Azure AD B2C. Its an showstopper for us because the customer insists that it should work the same as if you login in office or other microsoft apps. Is anyone working on this?

[mpetricek]

@ckruppe For me it helped to add checks: console.log() to the provider. Not sure if it would work for you of course.

Example:

GoogleProvider({
      clientId: ...,
      clientSecret: ...,
      authorizationUrl: ...,
      checks: console.log(), // <-- THIS LINE
    }),

[NuroDev]

Currently experimenting setting up a system using a custom subdomain (app.example.com) & ran into this same issue. Unsure if it will fix / help others but I got mine working by adding checks: "both" to my provider options.

Example:

DiscordProvider({
      checks: "both",
      clientId: "...",
      clientSecret: "...",
}),

[Atali-Albarozzo]

Did anyone solve this? I am experiencing the same issue.

[kfcaio]

Currently experimenting setting up a system using a custom subdomain (app.example.com) & ran into this same issue. Unsure if it will fix / help others but I got mine working by adding checks: "both" to my provider options.

Example:

DiscordProvider({
      checks: "both",
      clientId: "...",
      clientSecret: "...",
}),

It works, but also redirects to localhost:3000 instead of my custom domain

[Anishjangra2]

Currently experimenting setting up a system using a custom subdomain (app.example.com) & ran into this same issue. Unsure if it will fix / help others but I got mine working by adding checks: "both" to my provider options. Example:

DiscordProvider({
      checks: "both",
      clientId: "...",
      clientSecret: "...",
}),

It works, but also redirects to localhost:3000 instead of my custom domain

is there any workaround to redirect to custom domain instead ???

[kfcaio]

Currently experimenting setting up a system using a custom subdomain (app.example.com) & ran into this same issue. Unsure if it will fix / help others but I got mine working by adding checks: "both" to my provider options. Example:

DiscordProvider({
      checks: "both",
      clientId: "...",
      clientSecret: "...",
}),

It works, but also redirects to localhost:3000 instead of my custom domain

is there any workaround to redirect to custom domain instead ???

What if you set NEXTAUTH_URL in the .env file? It worked for me

[Anishjangra2]

i tried that but is still getting the same error can you pls show me how you did it.

Currently experimenting setting up a system using a custom subdomain (app.example.com) & ran into this same issue. Unsure if it will fix / help others but I got mine working by adding checks: "both" to my provider options. Example:

DiscordProvider({
      checks: "both",
      clientId: "...",
      clientSecret: "...",
}),

It works, but also redirects to localhost:3000 instead of my custom domain

is there any workaround to redirect to custom domain instead ???

What if you set NEXTAUTH_URL in the .env file? It worked for me

[modecry]

"KeycloakProvider" has error - type "boths" is missing any updates for this?

[AnmolSaini16]

"KeycloakProvider" has error - type "boths" is missing any updates for this?

Kindly look into this

[AnmolSaini16]

Any solution to this bug?

[AnmolSaini16]

checks: 'none' This is working for me, on clicking of back button the user is redirecting to home page. Make sure you also define a error page and include pages option.

// in error.tsx
 useEffect(() => {
        window.location.replace('/');
    });

[brong90s]

In this case none is the only option to make it works. If we do state or pkce or array of [state, pkce] it does not working. But if we use default of NextAuth.js sign-in page it consist of [state, pkce]. I'm have concern of security issue with none! FYI: I have stuck with this about 2 days now and it works just now with none.

[stoompa]

checking here if someone has found another solution that is not setting checks to none, since that is not secure.

[RayBans2111]

I'm also looking for a solution this issue. I'm currently using netlify and originally thought this was an issue with the jwt option, but I keep coming back to this checks option for providers.

Would someone explain what the checks option does? I wasn't able to find this option in the documentation, so i'm a little stuck as to what it entails.

[lassegit]

I am running:

    "@next-auth/prisma-adapter": "^1.0.5",
    "@next/font": "13.1.1",
    "@prisma/client": "4.8.0",
    "next": "13.1.0",
    "next-auth": "4.18.7",

And I get the following error in production (can't reproduce locally) and only with GoogleProvider (checked all .env and they are fine):

{
  [next-auth][error][OAUTH_CALLBACK_ERROR]
  https://next-auth.js.org/errors#oauth_callback_error checks.state argument is missing {
    error: TypeError: checks.state argument is missing
        at Client.callback (/opt/render/project/src/node_modules/openid-client/lib/client.js:387:13)
        at oAuthCallback (/opt/render/project/src/node_modules/next-auth/core/lib/oauth/callback.js:127:29)
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at async Object.callback (/opt/render/project/src/node_modules/next-auth/core/routes/callback.js:52:11)
        at async AuthHandler (/opt/render/project/src/node_modules/next-auth/core/index.js:201:28)
        at async NextAuthHandler (/opt/render/project/src/node_modules/next-auth/next/index.js:23:19)
        at async /opt/render/project/src/node_modules/next-auth/next/index.js:59:32
        at async Object.apiResolver (/opt/render/project/src/node_modules/next/dist/server/api-utils/node.js:363:9)
        at async NextNodeServer.runApi (/opt/render/project/src/node_modules/next/dist/server/next-server.js:487:9)
        at async Object.fn (/opt/render/project/src/node_modules/next/dist/server/next-server.js:749:37)
        at async Router.execute (/opt/render/project/src/node_modules/next/dist/server/router.js:253:36)
        at async NextNodeServer.run (/opt/render/project/src/node_modules/next/dist/server/base-server.js:384:29)
        at async NextNodeServer.handleRequest (/opt/render/project/src/node_modules/next/dist/server/base-server.js:322:20) {
      name: 'OAuthCallbackError',
      code: undefined
    },
    providerId: 'google',
    message: 'checks.state argument is missing'
  }

I am unsure what exactly checks does? Has the following types (checks?: ChecksType | ChecksType[]; and declare type ChecksType = "pkce" | "state" | "none" | "nonce";).

Any solution?

Edit:

~~Can see that GoogleProvider uses oidc as type and that there is a comment regarding this. Could this be the issue?~~

[lassegit]

@RayBans2111 Have you been able to solve this?

[RayBans2111]

@RayBans2111 Have you been able to solve this?

I did! There were a couple of things I needed to check. Make sure that your JWT private key doesn't have any odd characters or mistypings. This error popped up for me when my JWT private key was wrong.

This error would also appear for me if you are not providing the NEXTAUTH_URL variable in your env files. I troubleshooted this by taking a look at the redirectURLs I was getting, and I was getting a bad url, which somehow resulted in this error.

I did not have to provide "checks" in my next-auth setup at all. Fixing the above would fix the checks error.

[lassegit]

@RayBans2111 Thanks. Those are all as they should be, just checked. The default config seems to be checks: [ 'pkce', 'state' ],. Perhaps only setting either might work.

Not sure what to do. Enabled logging on production to see if I can get more information.

[lassegit]

It is properly this URL param that isn't being set or something.

[lassegit]

Can with pleasure after an hour of intense testing directly on production on a site that is going viral report that adding checks: ['pkce'] seems to resolve it:

export default NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    GoogleProvider({ clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET, checks: ['pkce'] }),
  ],
  session: { strategy: 'jwt' },
  jwt: { maxAge: 24 * 60 * 60 * 365 }, // 365 days
});

I will talk with my shrink and hope he can calm my nerves after this intense experience 😂.

[AaronMcCloskey]

Can with pleasure after an hour of intense testing directly on production on a site that is going viral report that adding checks: ['pkce'] seems to resolve it:

export default NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    GoogleProvider({ clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET, checks: ['pkce'] }),
  ],
  session: { strategy: 'jwt' },
  jwt: { maxAge: 24 * 60 * 60 * 365 }, // 365 days
});

I will talk with my shrink and hope he can calm my nerves after this intense experience 😂.

I was getting this while running it via Cypress, Totally fine on dev and production. Unfortunately in my case, I now get a nvalid_grant (Missing code verifier.) when adding checks: ['pkce']. I don't know enough as to whether it's a good idea to use checks: 'none' in regards to security.

[CeamKrier]

Using:

• "next-auth": "^4.18.8"

I encountered the same error and resolved it by providing checks: 'pkce' for OAuth providers of google and facebook.

[leotuna]

Updates?

[github-actions[bot]]

We cannot recreate the issue with the provided information. Please add a reproduction in order for us to be able to investigate.

Why was this issue marked with the incomplete label?

To be able to investigate, we need access to a reproduction to identify what triggered the issue. We prefer a link to a public GitHub repository (template), but you can also use a tool like CodeSandbox or StackBlitz.

To make sure the issue is resolved as quickly as possible, please make sure that the reproduction is as minimal as possible. This means that you should remove unnecessary code, files, and dependencies that do not contribute to the issue.

Please test your reproduction against the latest version of NextAuth.js (next-auth@latest) to make sure your issue has not already been fixed.

I added a link, why was it still marked?

Ensure the link is pointing to a codebase that is accessible (e.g. not a private repository). "example.com", "n/a", "will add later", etc. are not acceptable links -- we need to see a public codebase. See the above section for accepted links.

What happens if I don't provide a sufficient minimal reproduction?

Issues with the incomplete label that receives no meaningful activity (e.g. new comments with a reproduction link) are closed after 7 days.

If your issue has not been resolved in that time and it has been closed/locked, please open a new issue with the required reproduction. (It's less likely that we check back on already closed issues.)

I did not open this issue, but it is relevant to me, what can I do to help?

Anyone experiencing the same issue is welcome to provide a minimal reproduction following the above steps. Furthermore, you can upvote the issue using the :+1: reaction on the topmost comment (please do not comment "I have the same issue" without repro steps). Then, we can sort issues by votes to prioritize.

I think my reproduction is good enough, why aren't you looking into it quicker?

We look into every NextAuth.js issue and constantly monitor open issues for new comments.

However, sometimes we might miss one or two. We apologize, and kindly ask you to refrain from tagging core maintainers, as that will usually not result in increased priority.

Upvoting issues to show your interest will help us prioritize and address them as quickly as possible. That said, every issue is important to us, and if an issue gets closed by accident, we encourage you to open a new one linking to the old issue and we will look into it.

Useful Resources

• How to create a Minimal, Complete, and Verifiable example
• Reporting a NextAuth.js bug
• How to Contribute to Open Source (Next.js)

[balazsorban44]

Closing as this issue is kinda old. Let's open a new one with a fresh, minimal reproduction, if it still exists.

[leotuna]

@balazsorban44 , the error still exists...

[balazsorban44]

have a reproduction with next-auth@latest?

There's been many comments on this issue but actually nobody added a proper reproduction yet.