Hi, I have not been able to find any usage for the state parameter in authorization requests for native apps. Further, the spec guidance of using a hash of the session cookie as the value of the state param doesn't apply for native apps.
draft-wdenniss-oauth-native-apps is silent on the matter. Usage of state seems to be unique to clients conforming to the web app profile. Bottom line, looking to vet that it's safe to omit the state parameter in the authorization request for native apps, and that I'm not missing something critical.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
