Microsoft-authentication-library-for-js: AuthError: Unexpected error in authentication.: Hash does not contain state.

@vanbujm Thank you for submitting this issue. We are aware of some issues with the B2C Password Reset flows in msal, and we are working them out with the B2C team. We will update shortly with our planned fixes.

I am seeing the same error when redirecting from Sign Up v2

I also got this while doing a custom Sign Up policy. After the redirection from Azure B2C Sign Up policy this error appears in Chrome Developer Tools console.

msal 1.0.2

Authority.ts:13 Uncaught AuthError: Unexpected error in authentication.: Hash does not contain state.
    at new AuthError (https://cooldev.azurewebsites.net/Scripts/msal.js:1713:40)
    at Function.AuthError.createUnexpectedError (https://cooldev.azurewebsites.net/Scripts/msal.js:1721:28)
    at UserAgentApplication.getResponseState (https://cooldev.azurewebsites.net/Scripts/msal.js:3224:53)
    at UserAgentApplication.handleAuthenticationResponse (https://cooldev.azurewebsites.net/Scripts/msal.js:3155:42)
    at new UserAgentApplication (https://cooldev.azurewebsites.net/Scripts/msal.js:2166:34)
    at https://cooldev.azurewebsites.net/signup.html:27:19

I have the same problem. Found a workaround though, by setting storeAuthStateInCookie in msal to true

@ktsakas FYI.

For certain browser settings as noted here we need to set storeAuthStateInCookie to true to persist the state across trusted zones. Closing this issue since the mitigation seems to work for the user.

This is still an issue for me on MSAL 1.2.1 and setting storeAuthStateInCookie to true did not help.

@jfbloom22 I believe this is because IE restricts URL length and in cases where response_type=id_token_token, we observed that the browser trims the end of the #hash sent by the server which contains state, expiry_time etc.

This is tracked with #1172 where msal js can add a check detecting IE/any other browser that restricts URL lengths in response and make two calls to the service instead of one to fetch the idToken and token.

@sameerag thanks for the quick response. I am able to replicate the issue consistently in Safari and Chrome for Mac.

I have the same problem in my case the browser is Edge Chromium and I can't get the password reset flow to work with Ad B2C, if the user cancels or completes the flow I get the error.

note: I have storeAuthStateInCookie in true

Same as @jeverduzco. I am having the issue in Edge Chromium when using the password reset flow in AD B2C. I also have storeAuthStateInCookie set to true

Same issue here with Google Chrome (build 80.0.3987.122). Regular login works, but when using a custom Sign Up policy we receive the AuthError: Unexpected error in authentication.: Hash does not contain state. error.

Please re-open this issue. Getting the same problem, setting storeAuthStateInCookie to true does not resolve the problem.

I am also getting this issue in the latest version of Firefox (74.0.1) and Chrome (81.0.4044.92). I have included storeAuthStateInCookie: true in my msal config.

My steps to reproduce are as follows:

1. Go to the login page of my signin user flow. A script on that page changes the forgot password link href so it points to my forgotpassword flow landing page.
2. Click forgot password link. navigate to the forgot password page.
3. Go through the entire flow, changing my password successfully.
4. Get redirected back to my application where it shows this error:

Unhandled Rejection (AuthError): Unexpected error in authentication.: Hash does not contain state.

in my stack trace, the source of the error is when I initialize in my code:

new msal.UserAgentApplication(environment.msalConfig);

From there the stack trace is as follows (NOTE that this is in calling order, not reverse order like a stack track):

UserAgentApplication
src/UserAgentApplication.ts:241

  238 |  * @param {@link AuthenticationParameters}
  239 |  *
  240 |  * To renew idToken, please pass clientId as the only scope in the Authentication Parameters
> 241 |  * @returns {Promise.<AuthResponse>} - a promise that is fulfilled when this function has completed, or rejected if an error was raised. Returns the {@link AuthResponse} object
      | ^  242 |  */
  243 | UserAgentApplication.prototype.acquireTokenPopup = function (userRequest) {
  244 |     var _this = this;

./node_modules/msal/lib-es6/UserAgentApplication.js/UserAgentApplication</UserAgentApplication.prototype.handleAuthenticationResponse
src/UserAgentApplication.ts:1046

  1043 | var aState = this.getAccountState(serverAuthenticationRequest.state);
  1044 | var response = {
  1045 |     uniqueId: "",
> 1046 |     tenantId: "",
       | ^  1047 |     tokenType: (accessTokenCacheItem.value.idToken === accessTokenCacheItem.value.accessToken) ? ServerHashParamKeys.ID_TOKEN : ServerHashParamKeys.ACCESS_TOKEN,
  1048 |     idToken: idTokenObj,
  1049 |     idTokenClaims: idTokenObj.claims,

./node_modules/msal/lib-es6/UserAgentApplication.js/UserAgentApplication</UserAgentApplication.prototype.getResponseState
src/UserAgentApplication.ts:1112

  1109 | this.logger.verbose("Renew token Expected state: " + serverAuthenticationRequest.state);
  1110 | // Build urlNavigate with "prompt=none" and navigate to URL in hidden iFrame
  1111 | var urlNavigate = UrlUtils.urlRemoveQueryStringParameter(UrlUtils.createNavigateUrl(serverAuthenticationRequest), Constants.prompt) + Constants.prompt_none + Constants.response_mode_fragment;
> 1112 | window.renewStates.push(serverAuthenticationRequest.state);
       | ^  1113 | window.requestType = Constants.renewToken;
  1114 | this.registerCallback(serverAuthenticationRequest.state, scope, resolve, reject);
  1115 | this.logger.infoPii("Navigate to:" + urlNavigate);

./node_modules/msal/lib-es6/error/AuthError.js/AuthError</AuthError.createUnexpectedError
src/error/AuthError.ts:35

  32 |     AuthError.createNoWindowObjectError = function (errDesc) {
  33 |         return new AuthError(AuthErrorMessage.noWindowObjectError.code, AuthErrorMessage.noWindowObjectError.desc + " " + errDesc);
  34 |     };
> 35 |     return AuthError;
  36 | }(Error));
  37 | export { AuthError };
  38 | //# sourceMappingURL=AuthError.js.map

AuthError
src/error/AuthError.ts:25

  22 |     var _this = _super.call(this, errorMessage) || this;
  23 |     Object.setPrototypeOf(_this, AuthError.prototype);
  24 |     _this.errorCode = errorCode;
> 25 |     _this.errorMessage = errorMessage;
     | ^  26 |     _this.name = "AuthError";
  27 |     return _this;
  28 | }

FYI if you are experiencing this a dirty way around it is to wrap the line that inits MSAL in a try/catch and refresh the browser window when an error is caught.

It's not great as a solution and has it's own risks but might help if you are experiencing a prod issue and need a short-term quick and dirty fix. The risk with this method is that you could send your users into an infinite page-refresh loop if MSAL errors over and over, so you'll want to test this thoroughly.

In the beta (1.3.0-beta.1) version work fine for me.

Still facing the same issues with even version 1.3.0-beta

Still facing the same issues with even version 1.3.0-beta

Working fine for me in the version (1.3.0-beta.1) you can try it out here by creating an account and resetting your password

For me the problem was that it redirects the flows with a window.location.
What I have done is use the authority url changing login for repassword.

After using login redirect I have not had any problem:

The block goes all together, github won't let me use it but everything is inside the subscribe
` this.msalService.handleRedirectCallback((errorDesc, response) => {
const msalErrorDescription = localStorage.getItem(
'msal.error.description'
);

        // check if msal error set
        if (msalErrorDescription) {
            // check if error code for forgot password is there AADB2C90091
            if (msalErrorDescription.indexOf('AADB2C90118') > -1) {
                // change authority to password reset policy
              //  window.location.href = environment.passwordUrl;
                this.msalService.authority = environment.passwordUrl;
                this.msalService.loginRedirect();
                return;
            } else if (msalErrorDescription.indexOf('AADB2C90091') > -1) {
                localStorage.setItem('msal.error.description', '');
                this.msalService.authority = environment.authorityUrl;
                this.msalService.loginRedirect();
                return;
            }
        }

});
`
Don't forget to clean the localStorage to avoid infinite loops

With msal 1.3.1 error still present.

I am facing same issue when authorization flow is not triggered from msal, I am implementing user invitation flow using custom policy, flow works fine, after completion it redirects to the app, but msal raise above error, how to handle this scenario?

I am facing same issue when authorization flow is not triggered from msal, I am implementing user invitation flow using custom policy, flow works fine, after completion it redirects to the app, but msal raise above error, how to handle this scenario?

With msal 1.3.1 error still present.

I'm working with the latest stable version and I don't have any problems anymore, neither in the registration flow nor in resetting the password.

You can create an account on my site to see how the flow works

I am also having this issue with msal 1.3.2 and msal angular 1.0.
Have tried authStateInCookie.

Does anyone have a code example of how to implement a change password button?

I use window.open(msalChangePasswordUrl, '_self') to get to the reset page.

Then on return when you cancel OR complete the process I get the error.
I can see the AADB2C90091 error in the browser URL when cancelling.

the error appears to occur before I can reach any code in my app i.e. constructor of app.component.

Thanks!

I see a lot of people have this problem.

Reason - aad for some reason loses state on reset password flow.
What is state? Msal records string on your page before redirect to aad, and compares it to response that you got after redirecting from aad, to insure that request to aad was issued by user`s browser.

How to fix it?
1) You can wait for msal (or aad) team to fix it.
2) You can rewrite function that checks state, make it so it would not check it for reset password case.
If you have more questions - you can contact me.

And, if you like me, experienced a number of other issues, I would recommend rewriting msal altogether.