Missing 'state' parameter for Developer Portal OAuth authorization

[jacquesvg]

Bug description The ‘state’ parameter is not appended to the request URL when requesting oauth authorization from the developer portal even though “Support state parameter” is selected in the OAuth configuration. Okta oauth requires the ‘state’ parameter.

This is the request URL sent from the Developer Portal: https://.okta.com/oauth2/aus3d28cn6UPLknbA417/v1/authorize?response_type=code&client_id=&code_challenge_method=S256&code_challenge=owcExgqifVaRmsv6TUngu9LFuw7qN4FOTu9VHScKIA4&redirect_uri=https://-azapiman.developer.azure-api.net/signin-oauth/code-pkce/callback/okta&scope=openid+profile+email+offline_access

Okta response payload error: invalid_request error_description: The authentication request has an invalid 'state' parameter.

Reproduction steps

1. Setup APIM with any API
2. Add a new OAuth 2.0 configuration
3. Complete the configuration setup and make sure to tick "Support state parameter"
4. Go to API setting and select your new oauth configuration as the authorization method.
5. Publish your Developer Portal
6. Broswe to you API details page in the Developer Portal and select the authorization combo option.
7. If configured correctly you should see an authorization popup
8. Investigate that URL

Expected behavior The ‘state’ parameter should be appended as query parameter '&state=state'

https://.okta.com/oauth2/aus3d28cn6UPLknbA417/v1/authorize?response_type=code&client_id=&code_challenge_method=S256&code_challenge=owcExgqifVaRmsv6TUngu9LFuw7qN4FOTu9VHScKIA4&redirect_uri=https://-azapiman.developer.azure-api.net/signin-oauth/code-pkce/callback/okta&scope=openid+profile+email+offline_access&state=state

Additional context Related bug https://github.com/Azure/api-management-developer-portal/issues/208 Confirmed as a bug by Microsoft support on my original ticket https://learn.microsoft.com/en-us/answers/questions/1376198/how-to-set-state-parameter-for-api-developer-porta