How to set 'state' parameter for API Developer Portal OAuth authorization

Question

My question is related to this older topic https://github.com/Azure/api-management-developer-portal/issues/208.

I want to setup Okta OAuth authentication from the Developer Portal. I believe there is still a bug regarding that ‘state’ parameter.

The ‘state’ parameter is not part of the request URL when requesting Authentication from the developer portal, even though I did tick “Support state parameter” in the OAuth configuration.

Okta requires the ‘state’ parameter.

 

I’m using ’Authorization + PKCE’.

 

This is the request URL sent from the Developer Portal:

https://<Oktaserver>.okta.com/oauth2/aus3d28cn6UPLknbA417/v1/authorize?response_type=code&client_id=<ClientId>&code_challenge_method=S256&code_challenge=owcExgqifVaRmsv6TUngu9LFuw7qN4FOTu9VHScKIA4&redirect_uri=https%3A%2F%2F<APIname>-azapiman.developer.azure-api.net%2Fsignin-oauth%2Fcode-pkce%2Fcallback%2Fokta&scope=openid+profile+email+offline_access

 

The ‘state’ parameter is not included.

 

Okta response payload

error: invalid_request

error_description: The authentication request has an invalid 'state' parameter.

Is there still a bug in the Developer Portal backend?

Answer 1

Hi van Greunen, Jacques Thanks for reaching out. Yes, sounds like a regression. I had a discussion with our Product group team, and they confirmed the same.

please create a GitHub issue with the above given information to investigate further.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.