Reputation: 12216
How do I get a StateToken for basic Authentication through Okta with .net sdk?
I am building an internal Web API(asp.net) and I need to integrate our Okta authentication with it. I have the SDK installed through NuGet and I am able to do simple things like get a User and see there Profile.
What I really need to do though is understand how I take a User, Authenticate them through Okta, and then later validate that same User.
Here is what I have, at a basic conceptual level.
var oktaClient = new OktaClient(apiToken: "00vEX-jX3to71axEZ1L3luDfaAPH9d-ZPBV4coG2Ya", baseUri: new Uri(uriString: "https://ourcompany.oktapreview.com"));
AuthClient authClient = oktaClient.GetAuthClient();
AuthResponse response = authClient.Authenticate(username: "[email protected]", password: "MyPassword");
AuthResponse huh = authClient.GetStatus(response.StateToken);
The problem is that my response does not contain a StateToken. It only contains a SessionToken. So, what I could really use some help with is what I'm missing.
I've looked through the Okta Music Store(https://github.com/okta/okta-music-store) demo but that doesn't seem to answer my question. Perhaps because it's an older MVC 4 app and I'm using WebApi or just because it's a more complicated example than what I am trying to accomplish I don't know.
I have also been reading through http://developer.okta.com/docs/api/getting_started/design_principles.html and I'm still not seeing what I'm missing.
Upvotes: 3
Views: 2213
Answers (2)
Reputation: 838
I've been struggling with figuring stateToken out too, and after sifting through numerous useless responses to the same inquiry I finally found an answer:
state—; Protects against cross-site request forgery (CSRF). Can be any value.
Source: https://developer.okta.com/docs/guides/add-an-external-idp/apple/create-authz-url/
I found that I can indeed provide any arbitrary string, so long that it remains consistent throughout that user's authorization flow.
What I'm still not clear on, however, is how often the state token should be regenerated and what the best practice is for maintaining that value between page loads. My assumption is that it should be randomly generated and stored in session.
UPDATE: I found this page discussing how to generate state tokens, seems relevant.
https://pipedrive.readme.io/docs/marketplace-oauth-authorization-state-parameter
The method they recommend (at least for php ) is:
// Assign to state the hashing of the session ID
$state = hash('sha256', session_id());
Upvotes: 1
Reputation: 512
I suggest that you take a look at this code sample that shows the different authentication flows.
You only get a state token if you're in an intermediary state during the sign-in process, such as being prompted for a second factor. Otherwise, you only get a session token if the sign-in process has successfully completed.
I hope that helps!
Upvotes: 0
Related Questions
- Not able to get an access token for my okta api service via postman
- OKTA Delete user session API is failing in angularjs
- Token Based Authentication in ASP.NET Core
- How to pass/verify Open ID token between .net core web app and web api?
- How to do grafana authentication with Nginx and Okta
- authenticate to SharePoint through OKTA from back-end service
- Display content based on group membership - OKTA + ReactJS
- Okta: Failed to get authorization code through API call
- OKTA: Best approach for authenticating users in custom web portal
- Using the Okta API and .Net SDK