Overview#
OAuth state parameter is a OAuth 2.0 parameter used to prevent Cross-site request forgery and Best Practices would be use a CSRF TokenSome folks recommend this be a Digital Signature and stored within the browser cookie
Encoding claims in the OAuth 2 state parameter using a JWT points out some recommendation on use of OAuth state parameter
OAuth state parameter is a form of a Nonce
More Information#
There might be more information for this subject on one of the following:- Authorization Code Flow
- Authorization Request
- Authorization Request Parameters
- Authorization Response
- Best Practices OpenID Connect
- Covert Redirect Vulnerability
- Encoding claims in the OAuth 2 state parameter using a JWT
- Identity Token
- Implicit Grant
- OAuth 2.0 Security Best Current Practice
- OAuth Parameters Registry
- S_hash
- State
- Web Blog_blogentry_150617_1