About
The state query parameter is an opaque value used by the client (app) in redirection flow
- to prevent cross-site request forgery 1).
Usage
Request
It's used in the request that initiates a redirection flow
Example for an authorization code:
GET /authorize?state=xyz&response_type=code&client_id=s6BhdRkqt3&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcallback HTTP/1.1
Host: server.example.com
Callback
It comes back in the URL of the redirection response.
Example for an authorization code:
HTTP/1.1 302 Found
Location: https://client.example.com/callback?state=xyz&code=SplxlOBeZQQYbYS6WxSbIA
Value
The state parameter value can
- be encrypted where you only own the secret
- contains:
- a session id
- or the whole state in a jwt format or json format for instance
- have a time to live.
A state may be any string.
state=BVBGzPxmRgi6MNgj9Hmq