We’ve been testing using OIDC against our Okta dev site and now have a need to use the
state parameter to both maintain state (existing user linking their account) as well as prevent CSRF. When we monitor the network traffic leaving our SP service going to Okta, we see the state value, however when it comes back to us it has been, what appears to be, encrypted, encoded or something to that effect. I assumed we would get it back as we sent it in 1:1, but that doesn’t appear to be the case.
Are we doing something wrong? Is there something we need to do to decode/decrypt it? We need this solution to support any OIDC provider (not just Okta) but if there’s something we’re missing or need to implement here that would be good to know.
As a side note, I can tell the state value we’re getting back is base64 encoded, but it’s pretty large and we’re not sending that large of a value in. When I decode it from base64, it appears to be binary nonsense.