> Practically speaking, the state is just a random non-guessable string that is saved in the client application session
It doesn't have to be completely random, the spec only makes partial randomness a requirement:
"The binding value used for CSRF protection MUST contain a non-guessable value"
---
The state can be used to transmit useful data as long as the data isn't sensitive:
"The "state" and "scope" parameters SHOULD NOT include sensitive client or resource owner information in plain text, as they can be transmitted over insecure channels or stored insecurely."
This can be used in place of any 'Additional Client Callback URL params'.
---
Aside from that, I think this is very well written! I'll share it with others who want to learn more about OAuth 2.0 and its extensions.
It doesn't have to be completely random, the spec only makes partial randomness a requirement:
"The binding value used for CSRF protection MUST contain a non-guessable value"
---
The state can be used to transmit useful data as long as the data isn't sensitive:
"The "state" and "scope" parameters SHOULD NOT include sensitive client or resource owner information in plain text, as they can be transmitted over insecure channels or stored insecurely."
This can be used in place of any 'Additional Client Callback URL params'.
---
Aside from that, I think this is very well written! I'll share it with others who want to learn more about OAuth 2.0 and its extensions.