State parameter in response using OIDC coming back altered

Hi there,

We’ve been testing using OIDC against our Okta dev site and now have a need to use the state parameter to both maintain state (existing user linking their account) as well as prevent CSRF. When we monitor the network traffic leaving our SP service going to Okta, we see the state value, however when it comes back to us it has been, what appears to be, encrypted, encoded or something to that effect. I assumed we would get it back as we sent it in 1:1, but that doesn’t appear to be the case.

Are we doing something wrong? Is there something we need to do to decode/decrypt it? We need this solution to support any OIDC provider (not just Okta) but if there’s something we’re missing or need to implement here that would be good to know.

As a side note, I can tell the state value we’re getting back is base64 encoded, but it’s pretty large and we’re not sending that large of a value in. When I decode it from base64, it appears to be binary nonsense.

can you show some requests/response to understand the flow you are using and the issue better? I was not able to reproduce the behavior described, hence asking

I’m sorry, I did figure this out as we’re using IdentityServer4 and after digging into the source code for Microsoft’s aspnetcore Identity library I see that it’s taking all of the parameters/items, including the raw state value and creating a secure encoded string that’s coming back, just needed to run it through the server-side decoding of that to pull the original state item back out of the state.

OpenIdConnectOptions.StateDataFormat.Unprotect(state);
2 Likes