From 2e38c54982a23b234817c5c666c52219964d93e3 Mon Sep 17 00:00:00 2001
From: Eduardo Partipilo <epartipilo@socialcar.com>
Date: Thu, 27 Sep 2018 17:07:20 +0200
Subject: [PATCH 1/2] Allow set state in case it exists on oauth2 provider

---
 lib/schemes/oauth2.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/schemes/oauth2.js b/lib/schemes/oauth2.js
index de39e010b..6b0a332f1 100644
--- a/lib/schemes/oauth2.js
+++ b/lib/schemes/oauth2.js
@@ -70,7 +70,7 @@ export default class Oauth2Scheme {
       client_id: this.options.client_id,
       redirect_uri: this._redirectURI,
       scope: this._scope,
-      state: randomString(),
+      state: this.options.state || randomString(),
     };
 
     if (this.options.audience) {

From bda974eae8fb267dfeba5e040dbf6d0b7e76bea6 Mon Sep 17 00:00:00 2001
From: Ahad Birang <farnabaz@gmail.com>
Date: Sun, 10 Feb 2019 16:12:02 +0330
Subject: [PATCH 2/2] chore(doc): add docs for oauth2 state param

---
 docs/schemes/oauth2.md | 8 +++++++-
 lib/schemes/oauth2.js  | 2 ++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/schemes/oauth2.md b/docs/schemes/oauth2.md
index c713fa21f..5e21971d6 100644
--- a/docs/schemes/oauth2.md
+++ b/docs/schemes/oauth2.md
@@ -18,7 +18,8 @@ auth: {
       token_type: 'Bearer',
       redirect_uri: undefined,
       client_id: 'SET_ME',
-      token_key:  'access_token'
+      token_key:  'access_token',
+      state: 'UNIQUE_AND_NON_GUESSABLE'
     }
   }
 }
@@ -64,6 +65,11 @@ By default is set to `token_key: 'access_token'`. If you need to use the IdToken
 
 By default is set to `refresh_token_key: 'refresh_token'`. It automatically store the refresh_token, if it exists.
 
+### `state`
+
+By default is set to random generated string.  
+The primary reason for using the state parameter is to mitigate CSRF attacks. ([read more](https://auth0.com/docs/protocols/oauth2/oauth-state))
+
 ## Usage
 
 ```js
diff --git a/lib/schemes/oauth2.js b/lib/schemes/oauth2.js
index d81c57423..8082e0786 100644
--- a/lib/schemes/oauth2.js
+++ b/lib/schemes/oauth2.js
@@ -70,6 +70,8 @@ export default class Oauth2Scheme {
       client_id: this.options.client_id,
       redirect_uri: this._redirectURI,
       scope: this._scope,
+      // Note: The primary reason for using the state parameter is to mitigate CSRF attacks.
+      // @see: https://auth0.com/docs/protocols/oauth2/oauth-state
       state: this.options.state || randomString(),
     };