Oauth - Local State (state query parameter)


The state query parameter represents the local state of the navigation of the user before starting the authorization code flow.

It's a value that comes back with the response and allows then to restore the previous navigation state of the user.

The state parameter is a nonce to:

  • mitigate CSRF attacks by using a unique and non-guessable value associated with each authentication request about to be initiated. That value allows you to prevent the attack by confirming that the value coming from the response matches the one you sent.
  • use as id to store the user state locally (such as the URL where to redirect the user back)

It's used in the request that initiates a authorization code flow.


A state may be any string.


Documentation / Reference

Powered by ComboStrap