State cookie / PKCE code_verifier cookie missing

[LoickNosal]

Environment

  System:
    OS: macOS 15.3.2
    CPU: (8) arm64 Apple M3
    Memory: 109.34 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.14.0 - ~/.nvm/versions/node/v22.14.0/bin/node
    npm: 10.9.2 - ~/.nvm/versions/node/v22.14.0/bin/npm
  Browsers:
    Chrome: 134.0.6998.166
    Safari: 18.3.1
  npmPackages:
    @auth/mongodb-adapter: ^3.7.4 => 3.8.0 
    next: ^14.2.20 => 14.2.25 
    next-auth: ^4.24.11 => 4.24.11 
    react: 18.2.0 => 18.2.0 

Reproduction URL

https://github.com/LoickNosal/Cookie-Missing-NextAuth

Describe the issue

Hello, I'm having a problem with NextAuth.

I use two providers: Google and Apple.
I have one problem for each provider:

• For Google:

[next-auth][error][OAUTH_CALLBACK_ERROR]
State cookie was missing
providerId: 'google',
message: 'State cookie was missing.'

• For Apple:

[next-auth][error][OAUTH_CALLBACK_ERROR]
PKCE code_verifier cookie was missing.
providerId: 'apple',
message: 'PKCE code_verifier cookie was missing.'

These messages appear each time I log in to my application. It's not blocking, and users are able to log in. I'd like to understand the cause because I've already added a PKCE cookie to my next-auth.ts file.
This is polluting my environment's logs, and I'd like to fix it as soon as possible.

My next-auth.ts and next-auth.d.ts files in the link
Here are the versions used:
"next": "^14.2.20",
"next-auth": "^4.24.11",
"react": "18.2.0",

### How to reproduce

https://github.com/LoickNosal/Cookie-Missing-NextAuth

### Expected behavior

Shouldn't pollute my console with missing cookies errors.

[debarkamondal]

I also faced this using the Github Provider. I somehow fixed it. I deleted parts and started adding parts back in until the issue started to appear. It was caused due to parsing problem. I sent some mismatched data. I just had to handle that and its working again.

I would recommend you do the same while keeping this in mind. Best of luck and let me know if it helped.

[LoickNosal]

Hello, thank you for your reply. Could I have more details on your parsing error?
I've run several tests, but I'm still having the same problem in production (and I can't reproduce it in a dev environment).

[georgezouq]

On my product, I have same "PKCE code_verifier cookie missing" problem use apple provide, and I find official demo in next-auth website still couldn't signin with apple

[ankur-jain-nhs]

I have the same problem. The error I see in logs is "InvalidCheck: state value could not be parsed. Read more at https://errors.authjs.dev#invalidcheck". Upon inspection, found out that the signIn() method we are calling on nextjs middleware on the server, returns a 307 to redirect to the issuer to authorise. But the set-cookie does not seem correct, it seems to have merged callback-url and state cookies into one in production, separated by comma, but instead locally I see two separate set-cookie response headers. This means that the state is not stored in browser and the authorisation eventually fails. This works beautifully locally (even when we are using https).

We have spent innumerable number of hours findings why that might be happening, but no clue. We are deploying using opennext to AWS Cloudfront and lambda serverless. Any help is appreciated.

[marco-calderon]

@ankur-jain-nhs I added the redirectUrl and redirect props on the signIn configuration object but didn't worked, it showed the same issue that you have. Removed those props and only calling it by await signIn('google') solved the issue for me.