This probably won't be very clear, I apologize in advance. I have borrowed someone's code online that built an Azure OAuth provider and changed it to work for Okta.
As part of the code flow, the Authenticate method is called twice during the auth process. During the first call, a guid would be generated and saved in the State field of the session object that's passed in, and then this saved State was compared to the query string passed in on the second call.
What is happening now is that the IAuthSession that's passed in is different between the first and second calls (different Id, different CreatedAt), so the State that I saved on the first instance is no longer there. Part of my OAuth code compares the State passed in by the QueryString to the one that was Saved on the session, and if different, throws an UnauthorizedAccessException (403).
I am calling authService.SaveSession during the first call.
What is the actual question?
Trying to describe something is very hard to follow without providing any code, any HTTP Headers or exactly what state is different. It would help your own understanding of what's happening if you record the HTTP Headers, the Cookies and the actual user session state so you can identify what's actually happening.