In OAuth, what is the state query parameter known as Local State?

About

The state query parameter is an opaque value used by the client (app) in redirection flow

• to maintain the state between the request and callback (response) (ie to restore or continue the navigation of the user).
• to prevent cross-site request forgery ¹⁾.

Usage

Request

It's used in the request that initiates a redirection flow

Example for an authorization code:

GET /authorize?state=xyz&response_type=code&client_id=s6BhdRkqt3&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcallback HTTP/1.1
Host: server.example.com

Callback

It comes back in the URL of the redirection response.

Example for an authorization code:

HTTP/1.1 302 Found
Location: https://client.example.com/callback?state=xyz&code=SplxlOBeZQQYbYS6WxSbIA

Value

The state parameter value can

• be encrypted where you only own the secret
• contains:
  • a session id
  • or the whole state in a jwt format or json format for instance
• have a time to live.

A state may be any string.

state=BVBGzPxmRgi6MNgj9Hmq