I am also facing a similar issue. My company's QA found a very interesting scenario:

• First attempt to access the site, you get redirected to keycloak, no problem.
• If you don't log in and try to access the site again (new tab or in the same tab) you get the 'Bad Authorization State' Error and it goes straight into the site bypassing authirisation
• If you try to access the site again it redirects to keycloak, no problem
• If you don't log in and try to access the site, then 'Bad Authorsation State' Error
• Repeat ad nauseam

I've done a lot of monitoring and found the following, when there is 'Bad Authirisation State' Error:

• there is no attempt to reach keycloak
• logout() function does nothing

Seeing you ask about localstorage I monitored it and found something very interesting:

First time:
Storage { length: 0 }

Second Time:
Storage { ROCP_tokenExpire: "1691504132", ROCP_token: '""', ROCP_loginInProgress: "true", ROCP_refreshTokenExpire: "1691504132", length: 4 }

Third Time:
Storage { ROCP_tokenExpire: "1691504148", ROCP_token: '""', ROCP_loginInProgress: "false", ROCP_refreshTokenExpire: "1691504148", length: 4 }

After logging in:
Storage { ROCP_tokenExpire: "1691504289", ROCP_token: '""', ROCP_loginInProgress: "true", ROCP_refreshTokenExpire: "1691504289", length: 4 }

So it seems that the logininProcess is the issue. I tried to check if there isn't a token and logininProcess is false or null to call the login command and it works. But then logging out doesn't. Tried this both with autologin = true and autologin = false.

Any help on this issue?

Hi,
It's really hard to recreate it. Usually it happens when I build my app locally and the session is kept. Nevertheless I will wait until we will release it on demo and if it persist maybe I will catch it and report here. Thank you for your support.

I would also ask about 'logout()' method. Currently when I'm calling this method my tokens are deleted from localStorage but there is no redirect to login again. Is there any possibility to redirect to login again?

Sidenote:
I already used both logoutEndpoint and logoutRedirect but without any effect

If "logoutEndpoint" is provided, calling "logout()" should redirect the user to that URL.
Any errors being thrown when you call "logout()"?

If I'm reading this correctly, you want the user to be sent back to login whenever logout is called - won't autoLogin=true make that happen?

@soofstad no there is no error. I provided logoutEndpoint but after calling logout nothing happens. Only ROCP_tokens are removed from localStorage. To make matter worse it doesn't logout me from provider (OP) - but this is probably due to some configuration on the OP side.

@sebastianvitterso after logout I would like to be redirected to provider to login again. Right now I have to make a bypass and manually change url by providing window.location.href

Got a good detailed recreation report from @madtag . Will see if I can find what's causing the issue as soon as I get some time.

This is a problem you need to work around.
It is impossible to "log out" if there is noone logged in. The sever need to know "Who it should log out".

You will need to create a solution where you redirect to login page or call the "log in" function when the need arises.

Another situation where Bad Authorisation State may happen. Configure an invalid redirect_uri. Keycloak will show the error below

The link will point to the Root url configured in the keycloak client and if it is the same url you started from will go into the 'Bad Authorisation State'

Hey,
I'm currently away on some travels, unable to work on the project until October. Perhaps @sebastianvitterso could have a look.
I do consider this to be the highest priority issue right now. So will work on it when I get back.

@madtag Can you make a minimal example on codesandbox? I don't really know where to begin here yet, but having a repro might help.

Now, version 1.15.1 includes a fix where the error is not cleared automatically, and no redirect to logout is made if the user is not logged in.
This should make the behaviour of the library a bit more consistent.

I am facing the same Bad Authorization State issue, it happens randomly and in my case I do not abort the process of login or do anything with it.

If I clear browser history and cache and try to load my app, on first load I am redirected to my auth provider correctly, but if I refresh or open the same app again in a different tab or even in the same tab I browse to the same address, I get into a bad auth state. Then I have to manually reload the page to get it to work.

The documentation mentions how we should handle any errors the library throws, is there any way to handle this issue? Something like auto reload the page if the bad auth state error occurs. I am still new to React and I have tried to get around it but no luck.

Sounds like you should create a new issue/discussion @muazshahid. Feel free to do so, and include any related code. Debugging other problems in an old thread isn't sustainable 😄

This exact issue should be fixed in v.1.17.2. Which version are you using?

Interesting! I am using version 1.20.0

Would much appreciate if you'd create an issue on it. Showing how to recreate the problem 🙂