I have set up an external OIDC IDP in Okta and created an Application Integration. I have a React act that upon entering the users email and clicking sign in, redirects the user to the following link. I am able to proceed with the entire auth flow.
My question here is if there is a way to get Okta to provide the state? I am sending the request DIRECTLY from the frontend, and would prefer to not generate and store the state from there. Do advise if there is a better solution.
The state should be generated from the client side so that you can protect your redirect URIs against CSRF attacks.
Our documentation also states that Okta requires the OAuth 2.0 stateparameter on all requests to the/authorizeendpoint to prevent cross-site request forgery (CSRF). The OAuth 2.0 specification [requires (opens new window)](https://tools.ietf.org/html/rfc6749#section-10.12)that clients protect their redirect URIs against CSRF by sending a value in the authorize request that binds the request to the user-agent's authenticated state. Using thestate parameter is also a countermeasure to several other known attacks as outlined in [OAuth 2.0 Threat Model and Security Considerations (opens new window)](https://tools.ietf.org/html/rfc6819).