Authorization process in BoxAPI

Question

I'm new to the Oauth2 autentication process and i'm a bit stuck cause i would like to use Zend Framework OAuth module to connect to Box.com API.

I've found an example to connect to an Oauth service with zend framework and i've followed some tutorial on youtube about the oauth service, and for what i've understood i've at first to connect to the authorization process (with the client_id the response url and the response_type set to "code"). That's what i've learned from the tutorial. But in the developer part of the www.box.com site there is a strange parameter to make the GET call and try to authorize the application to access the user content:

 https://www.box.com/api/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&state=security_token%3DKnhMJatFipTAnM0nHlZA

The parameter "state" has to be updated with information on the application or it has to be left as it is in the online tutorial? I'm a bit confused.

Answer 1

The state parameter is optional. It is intended to provide an additional layer of security for your application.

Consider the OAuth workflow:

1. Your application redirects the user to Box.com
2. Box prompts the user for credentials and authorization
3. Box redirects the user back to your application with authorization information in tow.

The state that you send to Box in Step 1 is sent back unchanged to your application by Box in Step 3. Your application can compare these values to verify that the Box redirect in step 3 originated from a request made by your application.

The state can be any arbitrary string. Pick a random string of some length. This value should be generated new for each new OAuth request (i.e., Step 1), since it's intended to identify a single OAuth cycle for a particular user.

Does that make sense?