State missing from auth_code_flow error

[christokritz]

I randomly get the state missing from auth_code_flow error with some of our users. auth_code_flow is an empty dictionary in this case.

I followed these instructions to set it up:
https://docs.microsoft.com/en-us/graph/tutorials/python?tutorial-step=3

It looks like auth_flow session should be set in the sign_in view, but when the callback gets called this session data is no longer available. It's not clear to me what is causing this or how to reproduce it.

This is the relevant piece of code in oauth2cli.oauth2.py in the obtain_token_by_auth_code_flow method:

    if not auth_code_flow.get("state"):
        # initiate_auth_code_flow() already guarantees a state to be available.
        # This check will also allow a web app to blindly call this method with
        # obtain_token_by_auth_code_flow(session.get("flow", {}), auth_resp)
        # which further simplifies their usage.
        raise ValueError("state missing from auth_code_flow")

I'm using version 1.7.0

How can I prevent /fix this?

[rayluo]

Thanks for bringing that Microsoft Graph Python tutorial to our attention.

MSAL team maintains a self-contained web app sample, currently written for Flask (rather than Django which is being used in the aforementioned Graph tutorial). You may try derive your project from this sample and see how it works.

Regarding to that Graph tutorial, my hypothesis is it purges the state from session over-aggressively. You can try change the pop in this part to get, and see how it goes.

Please let us know your test result. If it works, we will go back to fix that tutorial, and/or figure out a better way to prevent this.

[rayluo]

@christokritz , is there any updates from your side?