I’m trying to implement change password method and I need to set statetoken, but it always comes null when the user logs in
I took this example used for testing (https://github.com/okta/okta-auth-dotnet/blob/8611e10f37c9da5350e3e0ed10d0b68a76717a58/Okta.Auth.Sdk.IntegrationTests/AuthenticationScenarios.cs), where the statetoken could not be empty, but it is not what happens…
I think it’d make sense if you try to check underlying APIs. If you would, you won’t be masking your session token 
State token will be present in the situation, where user’s password got expired and user can’t just log into Okta, but rather change password flow is initiated, presenting your with a state token to continue a flow when you submit new password request. Here is a diagram describing the process https://developer.okta.com/docs/reference/api/authn/#transaction-state
thank you @phi1ipp for all your help,
my problem is that i can’t get statetoken to reset the password with trusted application,
so how to obtain statetoken for this password reset? I’ve tried to set it but I can’t get it to work at all …
do you have any example i can follow?
But for trusted application you can use SSWS token to just issue set password operation. Why do you need a token?
@GuilhermeO Please refer the example of Forgot password with trusted application.
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" \
-H "X-Forwarded-For: 23.235.46.133" \
-d '{
"username": "dade.murphy@example.com",
}' "https://${yourOktaDomain}/api/v1/authn/recovery/password"
As for your question about how to obtain a state token,
like @phi1ipp mentioned, you can just use SSWS token.
If you have interest, you can take a look of the video which includes a way to get state token (at 7'52'') https://www.youtube.com/watch?reload=9&v=EVL3gnt7BYo&ab_channel=OktaDev