Another "How To Get StateToken" question

Hi All, first post here. I am having problems reliably getting a StateToken and can’t figure out what makes the difference between one try when it works and another

Step 1: I execute {{url}}/api/v1/authn/
and receive back a response with:
“stateToken”: “00mOX2IO0GlKZiondPWqUyvUfWkphef-ikJgmnWXXX”,
“status”: “MFA_REQUIRED”,
“user” json node
“factors” json node
“_links” json node

Step 2: The “factors” json node contains a url for “verify” which looks like this:
{{url}}api/v1/authn/factors/opf6rzrhwuqZhZaqoXXX/verify" where opf6rzrhwuqZhZaqoxxx is the factorId

I’m Posting to that URL using Postman and provide the following json body:
“stateToken”: “00mOX2IO0GlKZiondPWqUyvUfWkphef-ikJgmnWXXX”,
“factorType”: “push”,
“provider”: “OKTA”

but I keep receiving
“errorCode”: “E0000011”,
“errorSummary”: “Invalid token provided”,
“errorLink”: “E0000011”,
“errorId”: “oaenVgJRlVtQ_K1prYLQe9XXX”,

sometimes it actually executes successfully and I get a push notification on my phone, accept it and make another call to

and I get back
“factorResult”: “SUCCESS”

but when I try to repeat it again, most of the time I get the
“errorSummary”: “Invalid token provided”, error again

I ALWAYS get the generated stateToken from the Step1’s response and copy it to the json body of the Step2, why do I keep getting the “Invalid token provided” error?

Thank you!

Ok, I figured it out. This message:

“errorCode”: “E0000011”,
“errorSummary”: “Invalid token provided”,

is misleading. It is sent not only when your token is invalid (wrong alphanumeric string), but also when it is expired (which happens in just few minutes) or when it was already used. One may argue that the message is still correct (as the token IS technically invalid), but the error code must still be different, as the reasons for it being invalid are different.

1 Like