Thanks Meghna,
That is the plan, but when i use code and state, and call get_tokens_by_code is when i get the 'state is not defined' error?
<edit>I can confirm, this is still occuring in oxd4.0 beta, with the code snippet using the javascript swaggerised API:
```
// get access and id tokens from code & state
opts = { 'authorization':'Bearer '+access_token,
'getTokensByCodeParams':
{
'oxd_id':oSetting.oxd_id,
'code':req.query.code,
'state':req.query.state
}
};
oxdApi.getTokensByCode(opts,function(err,resTokenCode)
```
The code works if I get redirected from the /authorization-url (ie logged in), but if I refresh the page I get the "state not registered" error. I would like to be able to use these values (possibly stored in a cookie or session) so a user can stay authenticated to my site...
thanks,
Geoff