Why do the Google OAuth 2.0 docs for Web Apps not mention "state" parameter?

Question

Reading over the Google OAuth docs at https://developers.google.com/identity/protocols/OAuth2WebServer#handlingresponse, I was surprised (or at least curious why) there's no documentation on state. It seems pretty important to prevent CSRF attacks (https://www.rfc-editor.org/rfc/rfc6819#section-4.4.1.8) even in the non-implicit flow.

Am I missing something that suggests state param is not absolutely necessary? Seems like it should be emphasized in the docs so people don't leave their apps with CSRF vulnerabilities.

Answer 1

It is mentioned but only for the HTTP/Rest examples. Take a look at the redirect section with HTTP/Rest selected.

Redirecting to Google's OAuth 2.0 server

When your application needs to access a user's data, redirect the user to Google's OAuth 2.0 server.

HTTP/REST

Generate a URL to request access from Google's OAuth 2.0 endpoint at https://accounts.google.com/o/oauth2/v2/auth. This endpoint is accessible over HTTPS; plain HTTP connections are refused.

The set of query string parameters supported by the Google Authorization Server for web server applications are:

... Omitted text ...

state - Any string - Provides any state that might be useful to your application upon receipt of the response. The Google Authorization Server roundtrips this parameter, so your application receives the same value it sent. To mitigate against cross-site request forgery (CSRF), it is strongly recommended to include an anti-forgery token in the state, and confirm it in the response. See OpenID Connect for an example of how to do this.