3. Verify the state parameter

You have now been redirected back to the application, to the page that was specified in the redirect-url parameter. In the URL you can notice, that there are addtional query parameters:

Let's break it down...

• state=

  The state parameter is an opaque value used by the client to maintain state between the request and the callback. Essentially, it is used to prevent Cross-Site Request Forgery (CSRF) attacks and to ensure the response belongs to the request made by the client.

  The state value isn't strictly necessary here since the PKCE parameters provide CSRF protection themselves. In practice, if you're sure the OAuth server supports PKCE, you can use the state parameter for application state instead of using it for CSRF protection.

• session_state=

  The session state parameter is not a core part of the OAuth 2.0 specification, but it is used in OpenID Connect (OIDC) to represent the state of the end user's session at the Authorization Server. The client can use this value to help manage user sessions or to detect when the user's session at the Authorization Server changes (for example, if the user logs out).

• code=

  The code parameter contains the actual authorization code. This is a temporary code that the client can exchange for an access token (and optionally, a refresh token) by making a back-channel request to the Authorization Server. The format and structure of the code is determined by the Authorization Server. It can be just a random string, or a more complex construction. The exact significance of this structure is specific to the Authorization Server implementation and might include different identifiers or information encoded in the structure.

Now we have everything necessary to obtain token for the user. But is the state we have sent equivalent to the one we received back?