In OAuth, what is the state parameter for?
It's an unguessable value the client sends to /authorize and checks when the user returns — its main job is to prevent CSRF attacks on the redirect.
* The unguessable state, echoed and re-checked, blocks forged (CSRF) callbacks. *
When the app redirects the user to the authorization server, it includes state=<random>. The AS echoes that same value back in the redirect. The client then verifies it matches what it sent.
Why this stops CSRF: an attacker can't forge a valid callback (e.g. tricking your browser into completing their login on your account) because they can't predict the random state your session expects. A mismatch ⇒ reject the response.
Secondarily, state can carry app context — e.g. "the user was on /cart, send them back there after login."
Tip: state is to the OAuth redirect what an anti-CSRF token is to a form POST: a value only your legitimate session knows.
Go deeper:
Auth0: State Parameter & CSRF Attacks — exactly why an unguessable
stateblocks forged callbacks.OWASP CSRF Prevention Cheat Sheet — the synchronizer-token pattern
stateis an instance of.