The following error is returned when making a request to the /authorized endpoint:
error: invalid_request
error_description: The authentication+request+has+an+invalid+'state'+parameter
- OAuth 2.0
- OpenID Connect (OIDC)
The state parameter in the /authorize request might be missing or contain invalid characters.
Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint to prevent cross-site request forgery (CSRF). The OAuth 2.0 specification requires that clients protect their redirect URIs against CSRF by sending a value in the authorized request that binds the request to the user-agent's authenticated state. Using the state parameter is also a countermeasure to several other known attacks, as outlined in OAuth 2.0 Threat Model and Security Considerations.State parameters can contain alphanumeric, comma, period, underscore, and hyphen characters.
Here is an example:
https://${OktaDomainName}/oauth2/default/v1/authorize?client_id=0oabucvy
c38HLL1ef0h7&response_type=code&scope=openid&redirect_uri=http%3A%2F%2Flocal
host%3A8080&state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601&nonce=g5ly497e8ps
