It’s hard to tell whether or not you’re doing anything wrong without seeing your source code. A state mismatch means that the state passed by the query parameter from your OAuth provider doesn’t match the state stored in the session. So my first question is whether you have your session middleware added correctly, and whether you’re not accidentally overriding it with ring-defaults.