This probably won’t be very clear, I apologize in advance. I have borrowed someone’s code online that built an Azure OAuth provider and changed it to work for Okta.
As part of the code flow, the Authenticate method is called twice during the auth process. During the first call, a guid would be generated and saved in the State field of the session object that’s passed in, and then this saved State was compared to the query string passed in on the second call.
What is happening now is that the IAuthSession that’s passed in is different between the first and second calls (different Id, different CreatedAt), so the State that I saved on the first instance is no longer there. Part of my OAuth code compares the State passed in by the QueryString to the one that was Saved on the session, and if different, throws an UnauthorizedAccessException (403).
I am calling authService.SaveSession during the first call.