Socialite: InvalidStateException in AbstractProvider.php

bumpity bump. Anyone ran into this?

Stuck on same issue :(

Anyone?

Hi chaochana, I've tried what you do and I don't get the solution. Did you guys manage to solve it in another ways?

Same thing here. The change in config/session.php did not do the ttrick as well as the next steps suggested.

I even tried creating a new facebook app id but still got the same error.

I'm just using (which should be same)

$socialiteUser = Socialite::with($provider)->user();

And it works. I know I had problems to implement it in the way it was shown on video here on Laracasts, but I found my way :)

Bugsy, thanks for the reply but I guess many of us need more details. Like you, he have done it the same you did but maybe just differently. Like in my case:

$socialiteUser = Socialite::with('facebook')->user();

Anyway, it's actually not line 183 for me as described in the first post. InvalidStateException in AbstractProvider.php line 183 It's line 191 for me.

But like syropian, the issue lies in the last line of code and the methods running with it.

return ! ($this->request->input('state') === $session->get('state'));

I tried to hack this with a return false but it only gave me a client 400 error this time.

Cheers! Hoping someone can shed more light to this.

Just had this same error.

Mine is: "InvalidStateException in AbstractProvider.php line 191"

This is on handling the callback from Facebook:

Socialite::driver($provider)->user() //$provider = 'facebook'

Tried cache:clear, config:clear and clear-compiled but no effect.

It's line 191 for me as well. Stuck for 3 days now. For the good folks out there, I'm using Ubuntu with LAMP.

Solved this now.

I just added the Request class on the controller.

use Illuminate\Http\Request;

And then on my handleProviderCallback I did this change...

public function handleProviderCallback(Request $request)
{
    $user = Socialite::with('facebook')->user();
    print_r($user); exit;
}   

I'm having the exact same exception:

Laravel\Socialite\Two\InvalidStateException

thrown at:

/vendor/laravel/socialite/src/Two/AbstractProvider.php:191

I've tried both ::with('facebook') and ::driver('facebook') in the below snippet:

public function handleFacebookCallback(Request $request)
{
     $user = Socialite::driver('facebook')->user(); // <-- exception is thrown here

     return 'FACEBOOK-ID:' . $user->getId();
}

Am having the same errors. With a new incognito window on the first time i get a client 400 error. If i refresh the page, it changes to InvalidStateException in AbstractProvider.php line 191

Any ideas?

Testing my same code using the google provider, it works. I am able to trace out my info with dd($user); It just seems facebook is not working

I've noticed that my web server does not have write access to the recently created session file (in storage/framework/sessions). When I give the server write access to this session file, this problem goes away.

(This might help somebody diagnose the issue.)

I'm having kind of the same problem and it's killing me. Although I have never experienced any problems myself, I regularly get a few InvalidStateExceptions on the callback through bugsnag. I get these maybe once or twice a day but we really need to fix this as some users can't register or login.

Tried everything with the session domains etc. but the problem keeps coming back. I have a suspicion that it's somehow related to session persistence as I also get some TokenMismatchExceptions from time to time.

Any help would be greatly appreciated!

I am having the same problem, is there any way to fix this? The 'state' is not being saved into the request for some reason.

I have been looking into this and I have traced the problem to the state value being set to the session before the redirect.

The state param is passed down with the session as part of the redirect request but by the time you return to the site the state param is gone from the session.

I don't know whats happening here, its possible the cookie isn't getting set properly or something could be overriding it.

Has anyone else made any progress with this?

I may have found a potential cause, in our application we have a background ajax request, if this lines up with the redirect request then the problem occurs. This happens because the ajax request returns the session without the state param and overrides the one set by the redirect request.

I can't believe this is a matter ongoing for a year or so.

Trying to get it working on 5.2 but no luck, still the same invalid state. It must be something up to the 5.2 changes :(

Gonna try the larachat see if any hacker is online

I had this come up before, and clearing the cookies fixed it. Not sure if that will work in your case, but it's worth trying!

I believe my previous post is the cause and solution of this. If you're using cookies for the session there is no simple fix and as laravel doesn't support locking it's probably going to difficult for the other options too.

If anyone is interested I went into a bit more depth with the problem and solution. https://arthurguy.co.uk/blog/2015/12/laravel-session-problems

@poltts solution works for me with Google login.

It baffles me that Oauth2 is still so damn complex!

@mwjt42 thanks! @poltts 's code works for me with Google too. Thanks for posting the code and for letting others know it worked. To expand upon this with full working code, here's what I did below:

routes.php:

Route::get('auth/google', 'Auth\AuthController@redirectToProvider');
Route::get('auth/google/callback', 'Auth\AuthController@handleProviderCallback');

AuthController.php:

    /**
     * Redirect the user to the LinkedIn/Google, etc. authentication page.
     *
     * @return Response
     */
    public function redirectToProvider(Request $request)
    {
        if(strpos($request->path(), 'linkedin')!==false){
          return Socialite::driver('linkedin')->redirect();
        }
        else{
          return Socialite::driver('google')->redirect();
        }
    }

    /**
     * Obtain the user information from Linked/Google, etc.
     *
     * @return Response
     */
    public function handleProviderCallback(Request $request)
    {
        if(\Input::get('error')=='access_denied'){
          return redirect('login');
        }

        if(strpos($request->path(), 'linkedin')!==false){
          $user = Socialite::driver('linkedin')->user();
        }
        else{
          $user = Socialite::driver('google')->user();
        }

        $state = $request->get('state');
           $request->session()->put('state',$state);

        if(\Auth::check()==false){
          session()->regenerate();
        }
      
        dd($user);

// here's the die/dump response:

/*
User {#687 ▼
  +token: "<my-google-plus-user-token>"
  +id: "<my-google-plus-user-id>"
  +nickname: null
  +name: ""
  +email: "<my@email-address.com>"
  +avatar: "https://lh4.googleusercontent.com/-XFoF7Um7pJ0/AAAAAAAAAAI/AAAAAAAAAA0/<some-photo-id>/photo.jpg?sz=50"
  +"user": array:13 [▼
    "kind" => "plus#person"
    "etag" => ""<my-etag-code>""
    "emails" => array:1 [▼
      0 => array:2 [▼
        "value" => "<my@email-address.com>"
        "type" => "account"
      ]
    ]
    "objectType" => "person"
    "id" => "<my-google-plus-user-id>"
    "displayName" => ""
    "name" => array:2 [▼
      "familyName" => ""
      "givenName" => ""
    ]
    "image" => array:2 [▼
      "url" => "https://lh4.googleusercontent.com/-XFoF7Um7pJ0/AAAAAAAAAAI/AAAAAAAAAA0/<some-photo-id>/photo.jpg?sz=50"
      "isDefault" => false
    ]
    "isPlusUser" => false
    "language" => "en"
    "circledByCount" => 0
    "verified" => false
    "domain" => "<my-site.com>"
  ]
}
*/

}

I fixed this just disabling the SESSION DRIVER as database... file driver worked fine for me after hours trying to fix this s...

I had problem in my Nginx virtual server configuration.

After changing:

location / {
                try_files $uri $uri/ /index.php;
        }

To :

location / {
                try_files $uri $uri/ /index.php$query_string;
        }

I was able to get rid of this error. So it might be something you guys want to check too ;)

Awesome dude @chaochana , thanks for the solution, your idea worked for me :)

Also check access right on your storage/framework/sessions.

In my case, since this folder is empty in new Laravel project, it has been left out during initially commit to the GIT repository. Afterwards I created it manually on production server, but obviously with the wrong access rights, hence it was not writable for the session driver (when set to 'file').

I had this working great when I was developing with mysite.app but I just realized I'm now at the elixir domain **192.168.XX.XX:3000** It must not be working because I didn't set up my provider with that 192.168.XX.XX:3000 URL.

Just in case this may help someone: I got this error too, and it was a mix of things. The problem started when I published my app in the production environment, so I had to run some commands:

php artisan cache:clear
php artisan config:clear
php artisan route:clear
php artisan clear-compiled

Then, check the following: When using git push/git clone and composer update, the laravel log file where owned by root and got some writting errors reported in the log. This was easily corrected with some chmod / chown commands.

I also changed the session driver (.env) from file to cookies, so I could check /storage/framework/sessions if the cookies was being created.

Finally: make sure to change the .env file in order to have the callback to your production site. In my case, I had example.app in my computer and example.com in production, so I did not notice that the callback in example.com was going back to example.app. That small detail finally made it.

In the bottom line, the invalid state is a problem of checking the domain where the request comes, the domain where the answer goes and some checking in the cookies.