article Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate in Official Support Articles

Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Damien_V — Tue, 11 Apr 2023 08:53:47 GMT

Authenticating to Qlik Cloud fails with:

"errors":[{"title":"State verification failed","detail":"State not valid, missing request forgery protection","code":"STATE-1","status":"401"}],"traceId":"XXXXXXX"}

Resolution

This error will show up when the state sent during the authentication request does not match the eas.rfp cookie created at the same time.

This is the basic workflow for the authentication process:

The user accesses the tenant URL (directly or embedded in an iFrame or mashup), Qlik Sense redirects to the Identity Provider and at the same time instructs the browser to create a cookie in the browser called eas.rfp.XXXX (XXXX is a random string), this cookie will be used to check if the state parameter hasn't been forged when the Identity Provider sends back the user to Qlik Sense.
User inputs credentials on the Identity Provider page and then gets redirected back the user to Qlik Sense
Qlik Sense checks the state parameter against the eas.rfp.XXXX cookie saved in the browser to see if it hasn't been forged, if it cannot find the cookie with the value is initially created or if the values do not match, then it will throw the mentioned error.

Therefore, the following need to be checked when getting the error:

Is the eas.rfp correctly created in the browser? If not, check the browser settings and make sure that cookies are allowed for Qlik Sense. Some browsers will forbid cookies by default when the site is embedded.
Is the state parameter seen in the URL when getting redirected keeps the same value during the whole authentication process ? Using the Browser devtools with the "Preserve log" on should help you visualize this.

Environments:

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Mara_mamaco — Fri, 31 Jan 2025 08:26:12 GMT

I get the error message, when trying to access the Qlik Cloud via the Excel Add-in. It worked fine, but once I entered the wrong credentials the login ends up, showing the error message.

What can you do to "set back" your credentials when using the Excel Add-in via oAuth?

Any help is highly appreciated.

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Alberto-SDH — Fri, 31 Jan 2025 09:28:20 GMT

Hello, we are suffering the same problem of @Mara_mamaco with the Excel add-id.

On all our customers.

Please let us knok what we can do, thank you.

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Commander — Fri, 31 Jan 2025 10:07:11 GMT

We have the same issue. Authentication ends up in a browser window, showing the exact error message as shown above.

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Anonymous — Fri, 31 Jan 2025 10:13:38 GMT

Same here since today. I need to do some changed in an Excel report for a customer and it shows on all my machines the following error:

{"errors":[{"title":"State verification failed","detail":"State not valid, missing request forgery protection","code":"STATE-1","status":"401"}],"traceId":"a6fdae8e543cea200484bd0b4ec444b2"}

Earlier when I opened the Excel Add-in it opened a new window within Excel where I needed to login and afterwards I could work with it. Now it opens a new tab in my Edge browser and shows this error. I even tried it on different machines with and without antivirus software but still got the same behaviour from the Add-in.

Is it a Windows error since there was some Edge update in the last few days or is it an error with the Qlik Cloud?

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

peter_turner — Fri, 31 Jan 2025 16:23:23 GMT

I've had a customer report this same error, from a previously working setup.
Using Chrome, and Azure OIDC as the IDP. Sounds like a Azure / Qlik issue at this stage.

@Damien_V is this a new known issue?

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Frank_S — Fri, 31 Jan 2025 21:31:49 GMT

Check again as this issue should be resolved as of a short while ago.

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

ManuelRühl — Sat, 01 Feb 2025 09:42:49 GMT

@Frank_S

It works again!

Thank you 🫡

Re: Qlik Cloud: State not valid, missing request forgery protection when trying to authenticate

Alberto-SDH — Tue, 11 Feb 2025 11:56:31 GMT

Yes it worked!

if someone continues to suffer the problem try the following steps (it was gave to me from qlik support after a case opening on the problem):

A fix has been released to address this issue. Kindly follow the steps below:

1. Remove the existing add-in and add the manifest file again

2. If the steps 1 doesn't resolve the issue, Microsoft Excel Add-in cache has to be cleared. Steps to clear the cache is listed here: https://learn.microsoft.com/en-us/office/dev/add-ins/testing/clear-cache#clear-the-office-cache-on-windows