Generate session token from state token

I am using MFA and so the initial call to /authn endpoint gives me state token and expiry time instead of session token. Is there a way I can get the session token after the MFA authentication is successful? Any help would really be appreciated.

Hello,
Once an authentication flow is complete, the response will contain a sessionToken. If you are receiving responses with a stateToken then there are more steps required to complete the flow.

When you receive a stateToken instead of a sessionToken there should also be a status value that indicates what the next step is, such as

"status": "PASSWORD_EXPIRED",

Here are the steps that I have followed:

  • authentication to /auth endpoint (Receives state_token, ‘status’: ‘MFA_REQUIRED’, user_id and so on)
  • issue_user_factor_challenge using f"{url}/api/v1/users/{userid}/factors/{factorid}/verify" end point. The output contains (‘factorResult’: ‘WAITING’, ‘expiresAt’: ‘2022-06-10T01:27:39.000Z’, and so on). This will give a push notification to the device.
  • verify_factor_challenge using endpoint (f"{url}/api/v1/users/{userid}/factors/{factorid}/transactions/{tra insactionId}"). This step return {“factorResult”:“SUCCESS”} .
    I am wondering what is the next step to generate the session token. What is the next step from here to get a session token?

What type of factor are you trying to use?

I am using Push Verification

You must also be validating your endpoints with python. Like Erik said, a stateToken is an incomplete step. If you have a stateToken you need to pass it into this endpoint: https://${yourOktaDomain}/api/v1/authn to validate it before obtaining a sessionToken.

More info here. Let me know if you are still having difficulty I’ll share the script I put together for it.

I think I quite didn’t catch the solution. When I give a request to that endpoint , https://${yourOktaDomain}/api/v1/authn I get a response similar to this on:

What do you recommend after following these steps?

  • authentication to /auth endpoint (Receives state_token, ‘status’: ‘MFA_REQUIRED’, user_id and so on)
  • issue_user_factor_challenge using f"{url}/api/v1/users/{userid}/factors/{factorid}/verify" end point. The output contains (‘factorResult’: ‘WAITING’, ‘expiresAt’: ‘2022-06-10T01:27:39.000Z’, and so on). This will give a push notification to the device.
  • verify_factor_challenge using endpoint (f"{url}/api/v1/users/{userid}/factors/{factorid}/transactions/{tra insactionId}"). This step return {“factorResult”:“SUCCESS”} .
    I thought {“factorResult”:“SUCCESS”} means that authentication is successful
    After that i tried again passing the “state token” to this endpoint you have mentioned.
    The response that I received contains again the same state token with ‘status’: ‘MFA_REQUIRED’,

Could someone please take a look at the above comment and help me understand the process or what I am doing is wrong here?

I have created a OIDC react app in Okta with auth code pkce and custom sign on policy (pwd + factor(email or phone)). I have configured global session policy for Okta session (sid/idx cookie), authenticator policy (pwd + factor(email or phone)) associated to user group, custom authorization server with access policy configured with auth code, interaction code, client creds and token exchange and the access and refresh token lifetime.

What was the configuration done through which you are getting stateToken? When I call /authn I am getting sessionToken instead of stateToken

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.