How to get stateToken

praveena · November 26, 2020, 12:59am

I gone through several forums to understand how to get stateToken. but none of them provided straight forward answer.

I am trying to test following

curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
   "stateToken":"00BClWr4T-mnIqPV8dHkOQlwEIXxB4LLSfBVt7BxsM",
   "username": "dade.murphy@example.com",
   "password": "correcthorsebatterystaple"
}' "https://${yourOktaDomain}/api/v1/authn"

I am not sure what I have to provide for stateToken

rajnadimpalli · November 27, 2020, 8:31am

A state token is ephemeral token that encodes the current state of an authentication transaction.
You can find more details here:

It is generated during the authentication (AuthN) process, and gets converted to a session token once the user has been authenticated. AuthN end point details here:

praveena · November 27, 2020, 4:20pm

rest end point : {{url}}/api/v1/authn

Request :
{
“username”: “XXXXXXXXX”,
“password”: “XXXXX”
}

Reponse
{
“expiresAt”: “2020-11-27T16:16:57.000Z”,
“status”: “SUCCESS”,
“sessionToken”: “20111OtQlIstE4AxrG_VrClO53wrvUTbVZFGepiSOO0HfO9wj5-C3v8”,
“_embedded”: {
“user”: {
“id”: “00u19umuw0gOq3QiW5d6”,
“passwordChanged”: “2020-11-20T21:22:44.000Z”,
“profile”: {
“login”: “XXXXX”,
“firstName”: “XXXXXXX”,
“lastName”: “XXXXXX”,
“locale”: “en”,
“timeZone”: “America/Los_Angeles”
}
}
}
}

Then I took session token as you mentioned and passed as input for stateToken. Following are the results
End point : https://${yourOktaDomain}/api/v1/authn
Request :
{
“stateToken”:“20111OtQlIstE4AxrG_VrClO53wrvUTbVZFGepiSOO0HfO9wj5-C3v8”,
“username”: “dade.murphy@example.com”,
“password”: “correcthorsebatterystaple”
}

Response :
{
“errorCode”: “E0000011”,
“errorSummary”: “Invalid token provided”,
“errorLink”: “E0000011”,
“errorId”: “oaeAKiM4DriTHi68ehfpyq7_g”,
“errorCauses”:
}

sigama · December 2, 2020, 8:09pm

Hi @praveena! The stateToken tells us what status the user is in during the authentication process - see https://developer.okta.com/docs/reference/api/authn/#transaction-state. And like @rajnadimpalli mentioned it is ephemeral so it gets converted to a session token immediately i.e., once the user has passed all the MFA requirements.

I see in your second comment your response already includes the sessionToken; this is the expected behavior. You will only receive a stateToken if you are still in the authenticating process - for example https://developer.okta.com/docs/reference/api/authn/#response-example-for-primary-authentication-with-public-application-and-expired-password.

Otherwise, you shouldn’t need to provide a stateToken at /api/v1/authn https://developer.okta.com/docs/reference/api/authn/#request-example-for-primary-authentication-with-public-application.

system · January 19, 2024, 12:56am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
How to get the Okta State token each time when user login Questions	1	5573	January 17, 2024
Can't get statetoken (always null) Questions	5	4116	January 25, 2024
Retrieve the current Authn transation state of a given stateToken API api , java	3	3550	April 12, 2021
State Token Generation issue OAuth/OIDC	2	1875	February 16, 2024
Getting an accessToken from a sessionToken SAML	6	13197	February 8, 2024

How to get stateToken

Related topics