diff --git a/keystoneauth_oidc/plugin.py b/keystoneauth_oidc/plugin.py
index 844a6a4..40de005 100644
--- a/keystoneauth_oidc/plugin.py
+++ b/keystoneauth_oidc/plugin.py
@@ -18,6 +18,7 @@
 import pkce
 import socket
 import webbrowser
+import uuid
 
 from keystoneauth1 import _utils as utils
 from keystoneauth1 import access
@@ -164,6 +165,7 @@ def __init__(self, auth_url, identity_provider, protocol, client_id,
         self.redirect_uri = "http://%s:%s" % (self.redirect_host, self.redirect_port)
         self.code_verifier = None
         self.code_challenge = None
+        self.state = uuid.uuid4().hex
         if client_secret in ['', None]:
             self.code_verifier, self.code_challenge = pkce.generate_pkce_pair()
 
@@ -201,7 +203,8 @@ def _get_authorization_code(self, session):
         payload = {"client_id": self.client_id,
                    "response_type": "code",
                    "scope": self.scope,
-                   "redirect_uri": self.redirect_uri}
+                   "redirect_uri": self.redirect_uri,
+                   "state": self.state}
 
         if self.code_challenge is not None:
             payload.update({
diff --git a/keystoneauth_oidc/tests/unit/test_oidc.py b/keystoneauth_oidc/tests/unit/test_oidc.py
index f4cf918..9dc2667 100644
--- a/keystoneauth_oidc/tests/unit/test_oidc.py
+++ b/keystoneauth_oidc/tests/unit/test_oidc.py
@@ -118,7 +118,8 @@ def test__get_authorization_code(self,
         payload = {"client_id": self.CLIENT_ID,
                    "response_type": "code",
                    "scope": self.plugin.scope,
-                   "redirect_uri": self.plugin.redirect_uri}
+                   "redirect_uri": self.plugin.redirect_uri,
+                   "state": self.plugin.state}
 
         url = "%s?%s" % (self.AUTHORIZATION_ENDPOINT,
                          urllib.parse.urlencode(payload))