I have web app with frontend in javascript and stateless backend. I need authorize user via OAuth2. When I redirect user to OAuth2 provider, I need to bind state parameter to request to prevent CSRF attack. When OAuth2 provider redirect user back to my app, I need to check that state parameter is the same. I can not store state parameter in backend, because it stateless. Is it safe to store OAuth2 state parameter in some javascript storage?
The common technique for an SPA is to store the state parameter in the browser via HTML5 session storage and remove it when the response is received. It is just an unguessable value that changes for every redirect.
A couple of related links:
Out of interest the above widely used certified library uses this behaviour.