Question: about state & session

[JSteunou]

I tried to use state: true but then I saw it requires session. I do not use express session not passport with session. Why both are tied and how can I have a state without session?

[siacomuzzi]

The state param is used to prevent CSRF attacks. From Linkedin API doc:

Before you accept the authorization code, your application should ensure that the value returned in the state parameter matches the state value from your original authorization code request. This ensures that you are dealing with the real original user and not a malicious script that has somehow slipped into the middle of your authentication flow. If the state values do not match, you are likely the victim of a CSRF attack and you should throw an HTTP 401 error code in response.

Thats why they are tied, because passport-oauth2 requieres session support to persist state value between redirects.