Setting for requiring `state` parameter in request?

I am developing an OIDC integration with Okta. At one point, I got this error when authenticating:

error: invalid_request
error_description: The authentication request has an invalid ‘state’ parameter.

I understand this is for protection against CSRF attacks. My client was not setting this parameter, so I revised the client behavior to set it, and was able to authenticate successfully.

Is this parameter required because of a particular setting in my Okta application? If so, which one?

Thanks in advance.

What kind of characters does your state contain? Our API docs indicate that the state parameter can only contain alpahnumeric, comma, period, underscore, and hypen characters.

As mentioned in the OP, the state parameter was missing altogether. Once I revised the client to populate the state, everything worked fine.

My question is about the setting of the Okta application. Is this parameter required because of a particular setting in my Okta application? If so, which one?

Ah, sorry for misreading. The link I shared above has a table of all the parameters supported for the /authorize endpoint, their format, and whether or not they are required.

The state parameter is a security enhancement for OpenID Connect and Okta requires that this parameter be included in every /authorize request.

Got it. Thanks for the prompt and definitive answer!

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.