Xamarin - Microsoft Identity Provider login invalid_state

I started my okta journey here. https://github.com/oktadeveloper/okta-appauth-xamarin-example
This is a very easy git to follow. I successfully got it working. I’m now trying to add support to log in with a Microsoft Identity Provider. This is giving me all kinds of headache.

I’ve followed the documentation here. https://developer.okta.com/authentication-guide/social-login/microsoft

I’ve created my Authentication Url and replaced the parameters as required. All I changed with the xamarin app was replace the user of the DiscoveryEndpoint in the LoginProvider with my Auth url (doing this for android first). I was having an issue with my redirect url at first but I’m 99% sure that is okay now as the dashboard is no longer reporting illegal_redirect_uri.

There were 2 parameters I didn’t know how to fill. nonce and state. The documentation says nothing about how to actually get these values. It says that you get these with the ID token but that doesn’t make any sense as this would be the first url you use to log in. I was getting an invalid_nonce error. After adding a random value for this “abc” or using the example from the documentation I no longer get this invalid_nonce error. But without the state parameter added I continue to get an invalid_state parameter (the code throws an AuthorizationException and the error is reported on the okta dashboard). So I tried the same thing with nonce, I tried using the sample value from the doc, knowing this wouldn’t work but trying anyway. When I add in this value I get the same exception, but now there is no error listed on the dashboard, as if okta didn’t even receive my request.

So I have a few questions.
How do I get the true nonce and state values? Is replacing DiscoveryEndpoint with my Authorization Url appropriate? Or should I be calling this a different way? How come there are no samples or posts about this? Has no one ever tried this before? Doing something like this in auth0 is simple, yet this seems exponentially complex. Am I missing something simple/obvious? Why is it not listed in the documentation? The documentation seems to be designed for a different use case, that one sample xamarin project (and it’s corresponding native samples) seem to be the only examples online of this type of use case, yet they don’t cover using identity providers.

Any help or hints on this would be greatly appreciated, I’ve already wasted enough time trying to figure this out.


You should be able to use any values for noonce or state. You can hard code them to get things working, then dynamically generate them later.

When I do this I still trigger the AuthorizationException. But the dashboard doesn’t show my attempt at all (doesn’t give me the specific error). I’m thinking maybe I’m supposed to be calling the auth url in a different way than the sample app uses the discovery url. Are you familiar with the project? - Also thanks for any help you can give and for the fast initial response

I should also note, I followed the documentation linked in my initial post. When adding in my redirect url to the okta app I used the redirect url shown in the identity provider. This is the same redirect url I used in my Authorization Url. I was unclear if this is what was needed because in the sample url they have https%3A%2F%2FyourAppUrlHere.com%2Fsocial_auth which makes me think I need to use something other than this url. But without making a webserver for this sample app I’m not sure what that would be. Should this be working with the idp’s redirect url?

Keep in mind I’m doing
await AuthorizationServiceConfiguration.FetchFromUrlAsync(Android.Net.Uri.Parse(Constants.AuthUrl));
This is what is throwing the AuthorizationException. Is this method only supposed to handle the Discovery Url? are you sure it will work with the Idp AuthUrl?

Well I’ve made a small amount of progress. I now think that I am not using the AuthUrl in the way I’m supposed to (It would be nice if the documentation actually told you how to use it properly).

I’ve now replaced my Discovery Url with https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
and swapped my constants out so that my ClientId was that of my microsoft app and the redirecturi was that which I had put in my microsoft app.

Now when I launch the login it doesn’t fail, it opens up a page to a microsoft login, I’m able to sign in. It then goes to the redirect url (not back to the app) which displays a 400 error page. Obviously with this configuration it’s not touching okta at all, hence the redirect failing. I’m pretty much 100% stuck here. There is no example of how to do this anywhere on the internet. How am I supposed to pop up a microsoft login and get back to the app using okta? Are there any online resources for this I haven’t been able to find?

Even if I paste my Authorization Url into the browser I get a 400 error. Please help! this is driving me crazy I have until the end of the day to figure out how to use this.

Hey mate,

Were you able to resolve the invalid state issue. We are facing the same sort of thing except we are using it as a routed IDP based on email.