The state parameter can contain anything. It’s an opaque blob that can hold any data and mean anything based on what the client and server decide on.
But it’s meant to be used to prevent CSRF, or cross-site request forgery.
The long and short of it is without CSRF protection, a malicious website could abuse a user’s *ambient authority* in a browser and get the browser to send an OAuth request to the resource server under the authority of the currently authenticated user session.
Latest Answers