I think it’d make sense if you try to check underlying APIs. If you would, you won’t be masking your session token State token will be present in the situation, where user’s password got expired and user can’t just log into Okta, but rather change password flow is initiated, presenting your with a state token to continue a flow when you submit new password request. Here is a diagram describing the process https://developer.okta.com/docs/reference/api/authn/#transaction-state
thank you @phi1ipp for all your help,
my problem is that i can’t get statetoken to reset the password with trusted application,
so how to obtain statetoken for this password reset? I’ve tried to set it but I can’t get it to work at all …
do you have any example i can follow?
@GuilhermeO Please refer the example of Forgot password with trusted application.
You can use SSWS token in the POST request.
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" \
-H "X-Forwarded-For: 23.235.46.133" \
-d '{
"username": "dade.murphy@example.com",
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"
As for your question about how to obtain a state token,
like @phi1ipp mentioned, you can just use SSWS token.
If you have interest, you can take a look of the video which includes a way to get state token (at 7'52'') https://www.youtube.com/watch?reload=9&v=EVL3gnt7BYo&ab_channel=OktaDev