InvalidStateException in AbstractProvider.php line 191 with socialite

Question

I only get this error on my local machine when I try to login with google or fb. I'm almost 100% sure my services and session.php are set up correctly. But alas,here we are...

my services.php google settings:

'google' =>[
    'client_id'=> env('GOOGLE_CLIENT_ID'),
    'client_secret' => env('GOOGLE_CLIENT_SECRET'),
    'redirect' => "http://". env('DOMAIN'). "/login/google/callback",
],

my session

'domain'=> 'local.mysite.com'

Answer 1

I found out the reason and although I am not sure why this issue occurs, it could be due to ubuntu / nginx versions but here we go.

To get the right setting for laravel in nginx I had used this https://www.digitalocean.com/community/tutorials/how-to-install-laravel-with-an-nginx-web-server-on-ubuntu-14-04

also confirmed with this https://laravel.com/docs/5.1/installation#pretty-urls

also it is the same nginx configuration as homestead, so normally one would not see any issue there, but after checking specifically for the query string on return from google I noticed it was missing. The routes in laravel itself worked fine but it was not able to see regular query strings.

so the answer is that within the location block rather then

try_files $uri $uri/ /index.php$query_string;

you need to use

try_files $uri $uri/ /index.php$is_args$args;

I found this out from

Why is NGINX is ignoring my query strings? (the most upvoted answer)

Answer 2

The issue is related to your sessions, which is always a tricky problem to catch. In oAuth2 you can provide a state parameter when sending the user to authenticate, it is then sent back with the user to your application once they have authenticated.

Socialite puts a random string into the session and this state parameter and checks it contains the same value when the user returns.

See line 134 and 212. https://github.com/laravel/socialite/blob/e04ab0bb972662fc72708dfd4eef35200965cca1/src/Two/AbstractProvider.php#L134

Theres a few solutions to try...

First things first, are you able to login just using your username and password instead of the google oauth?

Check your config/session.php domain is set correctly and that the https option is only set to true if you're running over HTTPS. If the https option is enabled then sessions will only ever be set when the site is accessed via. https.

'domain' => 'example.com',

If you are using subdomains in your application prepend a . to the start of your domain in your session config. This will allow the session to carry across to all subdomains.

'domain' => '.example.com',

When you get sent through to the google login you should see the state parameter on the URL, check this state is also returned when going back to your application.

You could also try clearing your browser cookies and cache (or use an incognito window) this ensures theres no conflicts between your previous tests/existing cookies.

You may also try reinstalling your dependencies by removing your /vendor folder and running composer install again. This for me in the past has solved issues with sessions for unknown reasons.