How to get stateToken

I gone through several forums to understand how to get stateToken. but none of them provided straight forward answer.

I am trying to test following

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
   "stateToken":"00BClWr4T-mnIqPV8dHkOQlwEIXxB4LLSfBVt7BxsM",
   "username": "dade.murphy@example.com",
   "password": "correcthorsebatterystaple"
}' "https://${yourOktaDomain}/api/v1/authn"

I am not sure what I have to provide for stateToken

A state token is ephemeral token that encodes the current state of an authentication transaction.
You can find more details here:

It is generated during the authentication (AuthN) process, and gets converted to a session token once the user has been authenticated. AuthN end point details here:

rest end point : {{url}}/api/v1/authn

Request :
{
“username”: “XXXXXXXXX”,
“password”: “XXXXX”
}

Reponse
{
“expiresAt”: “2020-11-27T16:16:57.000Z”,
“status”: “SUCCESS”,
“sessionToken”: “20111OtQlIstE4AxrG_VrClO53wrvUTbVZFGepiSOO0HfO9wj5-C3v8”,
“_embedded”: {
“user”: {
“id”: “00u19umuw0gOq3QiW5d6”,
“passwordChanged”: “2020-11-20T21:22:44.000Z”,
“profile”: {
“login”: “XXXXX”,
“firstName”: “XXXXXXX”,
“lastName”: “XXXXXX”,
“locale”: “en”,
“timeZone”: “America/Los_Angeles”
}
}
}
}

Then I took session token as you mentioned and passed as input for stateToken. Following are the results
End point : https://${yourOktaDomain}/api/v1/authn
Request :
{
“stateToken”:“20111OtQlIstE4AxrG_VrClO53wrvUTbVZFGepiSOO0HfO9wj5-C3v8”,
“username”: “dade.murphy@example.com”,
“password”: “correcthorsebatterystaple”
}

Response :
{
“errorCode”: “E0000011”,
“errorSummary”: “Invalid token provided”,
“errorLink”: “E0000011”,
“errorId”: “oaeAKiM4DriTHi68ehfpyq7_g”,
“errorCauses”:
}

Hi @praveena! The stateToken tells us what status the user is in during the authentication process - see https://developer.okta.com/docs/reference/api/authn/#transaction-state. And like @rajnadimpalli mentioned it is ephemeral so it gets converted to a session token immediately i.e., once the user has passed all the MFA requirements.

I see in your second comment your response already includes the sessionToken; this is the expected behavior. You will only receive a stateToken if you are still in the authenticating process - for example https://developer.okta.com/docs/reference/api/authn/#response-example-for-primary-authentication-with-public-application-and-expired-password.

Otherwise, you shouldn’t need to provide a stateToken at /api/v1/authn https://developer.okta.com/docs/reference/api/authn/#request-example-for-primary-authentication-with-public-application.

1 Like