Passing state in OAuth authorization will remains same for a user or session? If client request to access our system, de we need to change the state on every request ?
If you are using auth code flow the state parameter will be passed back in response of auth code request: https://developer.okta.com/docs/guides/implement-auth-code/use-flow/
As described in RFC 6749:
RECOMMENDED. An opaque value used by the client to maintain
state between the request and callback. The authorization
server includes this value when redirecting the user-agent back
to the client. The parameter SHOULD be used for preventing
cross-site request forgery
State is a way to link the requests, from when the user is sent to Okta’s /authorize endpoint, up until the application receives the JWTs. Depending on your application configuration and security policy, it can be the same state (eg. for an IP address) or different every time.