mitsuhiko · stanhu · Dec 9, 2013
diff --git a/flask_oauth.py b/flask_oauth.py
@@ -320,12 +320,16 @@ def free_request_token(self):
         session.pop(self.name + '_oauthtok', None)
         session.pop(self.name + '_oauthredir', None)
 
-    def authorize(self, callback=None):
+    def authorize(self, callback=None, state=None):
         """Returns a redirect response to the remote authorization URL with
         the signed callback given.  The callback must be `None` in which
         case the application will most likely switch to PIN based authentication
         or use a remotely stored callback URL.  Alternatively it's an URL
         on the system that has to be decorated as :meth:`authorized_handler`.
+
+        :param state: an optional value to embed in the OAuth request. Use this
+        if you want to pass around application state (e.g. CSRF tokens,
+        URLs, etc.)
         """
         if self.request_token_url:
             token = self.generate_request_token(callback)[0]
@@ -339,7 +343,8 @@ def authorize(self, callback=None):
             params = dict(self.request_token_params)
             params['redirect_uri'] = callback
             params['client_id'] = self.consumer_key
-            params['response_type'] = 'code'
+            if state:
+                params['state'] = state
             session[self.name + '_oauthredir'] = callback
             url = add_query(self.expand_url(self.authorize_url), params)