I log in as a user via the api, and get the stateToken back.
I then call the change password api passing the stateToken from the login, but I keep getting a error code E0000079 “This operation is not allowed in the current authentication state.”
Can anyone give me some direction as to what I may be missing?
Thank you.
Hey @cweeks!
Some of this depends on how your Org is configured. You might be able to get a little more context by looking at the System Log in your Okta Admin console.
If you are still stuck include the previous authentication API response JSON and we should be able to point you in the right direction!
Thank you for the quick response. I reviewed the report, but not really sure what I am looking at.
I also call the MFA question API after the login response below with success.
Here is the previous json response.
{
“stateToken”: “009vKwNtUBBfkFjSUO5TzpPFRF1-IJc83vINPiZpbo”,
“expiresAt”: “2019-01-14T20:48:23.000Z”,
“status”: “MFA_REQUIRED”,
“_embedded”: {
“user”: {
“id”: “xxxxxxx”,
“passwordChanged”: “2019-01-14T17:07:48.000Z”,
“profile”: {
“login”: "test@mail.com",
“firstName”: "firstname,
“lastName”: “lastname”,
“locale”: “en”,
“timeZone”: “America/Los_Angeles”
}
},
“factors”: [
{
“id”: “ufsiyw76n9T49MDXj0h7”,
“factorType”: “question”,
“provider”: “OKTA”,
“vendorName”: “OKTA”,
“profile”: {
“question”: “first_computer_game”,
“questionText”: “What was the first computer game you played?”
},
“_links”: {
“verify”: {
“href”: “https://dev-xxxxxx.oktapreview.com/api/v1/authn/factors/ufsiyw76n9T49MDXj0h7/verify”,
“hints”: {
“allow”: [
“POST”
]
}
}
}
}
],
“policy”: {
“allowRememberDevice”: false,
“rememberDeviceLifetimeInMinutes”: 0,
“rememberDeviceByDefault”: false,
“factorsPolicyInfo”: {}
}
},
“_links”: {
“cancel”: {
“href”: “https://dev-xxxxxx.oktapreview.com/api/v1/authn/cancel”,
“hints”: {
“allow”: [
“POST”
]
}
}
}
}
Hi @cweeks,
Based on the transaction model mentioned in the following link https://developer.okta.com/docs/api/resources/authn#transaction-model, you can’t change the password state and to change the password using stateToken, the state of the user needs to be either password_expired or password_Warn state.
Hope it makes sense!
That does make sense, and thank you for your response. The user did not have that status, so I reset the user password, and the status now shows “Password expired” in the profile. When I now call the change_password API I still get the “This operation is not allowed in the current authentication state.” error message.
What am I not doing correctly?
Ok, if I create an in zone rule to not require MFA login if in zone, then the API returns status PASSWORD_EXPIRED, and I can successfully change the password by calling the change_password API, but if that rule is not in place the status comes back MFA_REQUIRED, and the change_password API call will not work.
How do I know that the status of the login user is PASSWORD_EXPIRED if the login call returns MFA_REQUIRED?
looks like I have to call the Get User API right after I call the Authenticate API to get the status of the user? Shouldn’t the authenticated response object contain the status of the user?