Overview#

OAuth state parameter is a OAuth 2.0 parameter used to prevent Cross-site request forgery and Best Practices would be use a CSRF Token

Some folks recommend this be a Digital Signature and stored within the browser cookie

Encoding claims in the OAuth 2 state parameter using a JWT points out some recommendation on use of OAuth state parameter

OAuth state parameter is a form of a Nonce

More Information#

There might be more information for this subject on one of the following:

• Authorization Code Flow
• Authorization Request
• Authorization Request Parameters
• Authorization Response
• Best Practices OpenID Connect
• Covert Redirect Vulnerability
• Encoding claims in the OAuth 2 state parameter using a JWT
• Identity Token
• Implicit Grant
• OAuth 2.0 Security Best Current Practice
• OAuth Parameters Registry
• S_hash
• State