The documentation I updated 4 days ago and mentioned in this post actually mentioned the state parameter as being required. It is there in the example GET request as well. I’ll look to see if we can make that more clear. Perhaps having a table that lists the required fields in the Authorization server. Here is the instructions I wrote for people coming to this post:
You will need to pass the scopes you are requesting, the redirect_uri (must be one that was registered at the time of your client registration), and a state parameter which can be any value. Once authorization has finished the browser will be redirected to the URL specified in redirect_uri with an encrypted code value and the state value sent in the initial authorize request.
While some OAUTH2 providers skip the state parameter, it is recommended that it be used for mitigating CSRF requests with the authorize parameter. I’m not completely following why we check the CSRF on the token endoint and the original developer (@sjpadgett) could perhaps shed some light on that. That said we do only check it for the authorization_grant . Since we are treating it as a required field, my thoughts are we need to change the authorization flow to do a hard fail on the authorize endpoint if the state parameter is missing. This would have helped both of us identify this problem much quicker.
I won’t be able to make this change for a while as we’re in the middle of ONC work, nor will the original developer (@sjpadgett) but if you and your team wanted to give us a pull request making the change, we’d be happy to review it.