Issue. MismatchingStateError with Auth0 in Solara Auth Sample on AWS EC2
Hello,
I'm experiencing a persistent MismatchingStateError with the "Solara authentication sample" from your web using my custom Auth0 credentials on an Amazon Linux AWS EC2 instance.
I'm using the "Solara authentication sample" on this page: https://solara.dev/documentation/advanced/enterprise/oauth
The application functions perfectly on macOS, Raspberry Pi, and Windows, even with a Cloudflare tunnel. However, when deployed on AWS without any proxy or tunnel and accessible directly at port 8765, it throws an error after the Auth0 login sequence.
Here are the details of my setup:
Operating System: Amazon Linux 2023.4.20240429
Python Version: 3.11.9
Solara Version: 1.32.1
Authlib Version: 1.3.0
Starlette Version: 0.37.2
Here's the error message from the server logs:
File "/home/ec2-user/miniconda3/envs/solara_env/lib/python3.11/site-packages/authlib/integrations/base_client/sync_app.py", line 234, in _format_state_params raise MismatchingStateError() authlib.integrations.base_client.errors.MismatchingStateError: mismatching_state: CSRF Warning! State not equal in request and response.
This error occurs after I click the "Login" button; the Auth0 login page appears and seems to work, but once authenticated, I receive an 'Internal Server Error' in the browser.
The Solara server starts without issues and the UI is accessible. I’ve confirmed that port 8765 is open and no network-related issues should be affecting the Auth0 callbacks.
Additionally, I have tested the starlette Auth0 demo on the same AWS server without encountering any problems.
Has anyone faced a similar issue or have any suggestions on further debugging steps? Any help would be greatly appreciated!
Thank you in advance!
Using OAuth in your Solara app
Open Authorization can be readily integrated into your Solara applications via the Solara-Enterprise package.
6 Replies
Hi @Punxsutawney, I've tried it on an ec2 instance with the library versions you listed, but I can't reproduce this issue, it just works for me. The only thing different is the the OS, I used ubuntu, but I can't imagine that can be the issue.
I can reproduce it by setting
SOLARA_SESSION_HTTPS_ONLY="True" while not running with HTTPS
SOLARA_SESSION_HTTPS_ONLY should be False when not running on HTTPSYes! that's it, it works now!!! I can confirm it works also using a Cloudflare tunnel, thank you!. Cloudflare adds the https on top so this is why I thought it was necessary to set SOLARA_SESSION_HTTPS_ONLY to True
BTW, what could be the explanation for it working in the other environments I tried, same configuration, same Cloudflare tunnel, but not on AWS?
If you access your page on on HTTPS (via the cloudflare tunnel in your case), SOLARA_SESSION_HTTPS_ONLY=True should work. If you access your page via HTTP (directly on port 8765), it only works if you set SOLARA_SESSION_HTTPS_ONLY to False. This should also be true for AWS. Are you saying that accessing your page on AWS with HTTPS with SOLARA_SESSION_HTTPS_ONLY=True doesn't work?
Yes, right now I can access to the AWS server using SOLARA_SESSION_HTTPS_ONLY=False, and using the same Cloudflare tunnel I've been using, I use https to connect to the tunneled domain (I suppose this is just the proxy part), the mapping of the tunnel always has been for http://localhost. In the other computers I have installed the application I was using SOLARA_SESSION_HTTPS_ONLY=True with the same Cloudflare and Auth0 configuration and it worked fine. The only change I can "see" is AWS infra ... in this conditions if I change SOLARA_SESSION_HTTPS_ONLY=True then Auth stops working for the AWS host.
Might be a difference between accessing localhost via http and an IP address via http, is that the difference in the two situations? localhost is treated differently by browsers
Sorry, not sure I'm understanding you, I'm not using the server ip address in any scenario. I'm accesing to the server where Solara is running using the Cloudflare tunnel, a public url, that in all different cases I tried (a Windows desktop, a macOS, a Raspberry PI and the AWS EC2 server) is mapped to http://localhost and the problem appears when using at the same time Auth0 for the authentication. On AWS I tried 2 different AMIs, the standard AWS (I think it's readhat based) one and an UBUNTU, thinking that perhaps Cloudflare's client was doing something funny there, but in both cases I had the same result... don't know perhaps Cloudflare is doing some "magic" for AWS infra?