Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

chrisan's avatar

Socialite InvalidStateException - but only when logging in with the 3rd party first

This is for a traditional app, not a SPA

I'm getting an Laravel \ Socialite \ Two \ InvalidStateException error when logging in via socialite github provider - but only when I have to login to github during the process.

  1. myapp.com/login
  2. login with github button
  3. actually log into github
  4. automatically redirected back to my /callback and get the error

If I'm logged in to github prior to starting the process it works fine.

  1. myapp.com/login
  2. login with github button
  3. automatically redirected back to my /callback and logged in (or well got the success at least)

I use 1password so the github login process with user/pw and 2fa is pretty quick, like a second or 2. Anyone know why this would cause socialte to fail?

  public function redirectToGithub() {
    return Socialite::driver('github')->redirect();
  }

  public function handleGithubCallback() {
    //try {
      $oathUser = Socialite::driver('github')->user();
      dd($oathUser);
      $localUser = User::where('email', $oathUser->getEmail())->get()->first();
      if (!$localUser) {
        return view('auth.user-not-found');
      }
      else {
        Auth::login($localUser);
        return redirect($this->redirectTo);
      }
    //}
//    catch (Exception $exception) {
//      dump($exception->getMessage());
//      dd($exception);
//      return view('auth.oauth-error');
//    }
  }
0 likes
4 replies
chrisan's avatar

Hmm its not just github. I tried the same thing with Okta and had the same result. Works if I'm already logged into Okta, fails if I have to login to Okta as part of the sign in flow

chrisan's avatar
chrisan
OP
2 years ago
Best Answer
Level 2

From some discussion on discord the problem was cookies. samesite=strict will cause this to fail. setting it back to lax allows this flow to work.

my best guess is when you are already logged in to github, the socialite chain is all 302s so the browser sees the flow as all originating from localhost so it passes the cookie where as when you are not logged in you must go through 200s and now the browser thinks the request originated from github where it will not allow the cookie to be passed under strict rules

keem95's avatar

does it solved. im having same issue but my cookie is lax

Please or to participate in this conversation.