I am securing some UI pages: whenever a new request comes, if it has no accessToken or code, I redirect it to our oauth2 provider login page.
But, in this redirect url I add a state parameter, and the value of this state parameter value I also store as a cookie (called STATE_COOKIE) in the redirected request.
When another request comes with a code, I first look to see if it has a STATE_COOKIE, then exchange the code for an accessToken, then check if the STATE_COOKIE value is the same as the state in the accessToken.
Is this how I am supposed to used the state parameter ? I cannot(do not know how) store it locally as there is no session concept in our app. It would be very easy for me to store this state value locally, and when I get an accessToken compare its state value with the local stored one (ones).
What should I do ?