Use of state parameter in authorisation code flow

[ciseng]

It seems like the state parameter is supported in the implementation, but not sure how it is used in the AS side. Could you give an example when granting code, how the server can callback also the state value?

[jaredhanson]

The state parameter is just stored and echoed back to the client. Is there something other than that you are referring to?

[ciseng]

Thanks for your reply.

So, there is no change in the following code piece? If the user’s request has state, it is just echoed back? Nothing to add on the implementor’s side?

server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done) {
  var code = utils.uid(16);

  var ac = new AuthorizationCode(code, client.id, redirectURI, user.id, ares.scope);
  ac.save(function(err) {
    if (err) { return done(err); }
    return done(null, code);
  });
}));

[Cogiva]

I pass in a state, but it does not appear to be echo's back to client on the final redirect. I am using angular as the front end user allow/deny page, but this is redirected after the initial authorisation call has been made, so the state should be in the session right?

[lrohrmann]

I have the same problem. Anybody knows how to handle a state URL parameter to echo back on the final redirect?

[webbcam]

Still having this problem as well (on final redirect), any solutions?

[ursualexandr]

Still having this problem as well, any solutions?

UPDATE:
It is working properly, you have to pass state parameter when you hit first time authorize endpoint
e.g.:
http://example.com/oauth/authorize?client_id=234523523&redirect_uri=https://example.com/signin&response_type=code&state=CfDJ8CI