what does state, session_state, and code url paremeters from a keycloak redirect represent?

Question

What does the state, session_state and code url parameters represent in the url string after getting a redirect after logging in via keycloak?

I do keycloak.init to require a login and get redirected to the ChatPage portion of my react app:

this.state.appKeycloak.init({
    onLoad: 'login-required',
    redirectUri: 'http://localhost:3000/ChatPage'
})

After logging in to my local react app on http://localhost:3000 I see this in the URL:

http://localhost:3000/ChatPage#state=7....1&session_state=e...70&code=c...f6

What does the state, session_state, and code fields represent? Do any of them have the token I can decode to get the users login information?

Answer 1

No, none of them do. Those are all parameters from various standards.

code is used for authorization code flow to exchange for the tokens at the token endpoint. You can get the access_token, refresh_token and id_token at the token endpoint by using the code.

state is used to prevent CSRF attacks either by attackers initiating requests to the authorization endpoint or forging responses to the application redirect endpoint.

session_state is part of the OpenID Connect Session Management specification where you use an iframe to check if the SSO user has logged out for instance.