I've implemented Google OAuth2 login for different Google services a couple times now, but never really thought about how the state token can be abused if no session token is included.
I understand the principles of CSRF and I've implemented my OAuth2 flows as described in https://developers.google.com/accounts/docs/OAuth2Login (with session token in the state token), I just don't see how an attacker can abuse this if the session token is not present.
Maybe it's related to what I do after a successful response from the Google consent page (I obtain refresh + access token, store them to a user specified in the state token and redirect to another page also specified in the state token), but how is it a problem otherwise?
I saw this answer in a related question, which explains how a CSRF attack can be done (and how the state token prevents it): https://stackoverflow.com/a/23640462/736247