The state
parameter is optional. It is intended to provide an additional layer of security for your application.
Consider the OAuth workflow:
- Your application redirects the user to Box.com
- Box prompts the user for credentials and authorization
- Box redirects the user back to your application with authorization information in tow.
The state
that you send to Box in Step 1 is sent back unchanged to your application by Box in Step 3. Your application can compare these values to verify that the Box redirect in step 3 originated from a request made by your application.
The state
can be any arbitrary string. Pick a random string of some length. This value should be generated new for each new OAuth request (i.e., Step 1), since it's intended to identify a single OAuth cycle for a particular user.
Does that make sense?