The client must use state parameter to block CSRF attack against the redirect URI. Without the state parameter client browser/server has no way of knowing whether the incoming GET request with the authorization code was caused by a 302 redirect it initiated or by user clicking a hyperlink in a malicious email / blog.

Steps to create a CSRF attack

First the actors in oauth flow

The steps (without using state )

         Assumption is that simpleuser is allready logged in to localsession has been created by webserver for simpleuser. (CSRF attack is also called session riding as existing user session is exploited)

The steps (with using state and hence preventing CSRF)

Sequence Diagram (shows oauth flow with state handling)

Note that storage method of state depends on app type