Seeing " OAuth return is missing a valid CSRF token" message

dan · 23 Jul 2024, 19:06

I have an issue. When someone resets their password, they get a link in their email. Then when they click it, they get an error message: OAuth return is missing a valid CSRF token and see a FusionAuth error screen.

How can I solve that?

dan · 23 Jul 2024, 19:07

If this is isolated to one user it's happening to that's usually because the user is trying the flow across browsers or devices instead of completing the whole flow inside 1 browser.

For example, they might be requesting the Change Password on their phone but then open up their email on a desktop and click the link. Thus the desktop browser would be missing the CSRF token from the beginning of the flow.

This can also happen if they request it on Chrome, but click the link in the email in Firefox (or even Incognito/Private browser vs normal).

If it is more widespread (across many users) then it is probably something else, like a theme issue.

brad · 13 Nov 2024, 21:31

Duplicate post