diff --git a/server/controllers/oidc.js b/server/controllers/oidc.js
index db286a3..1d80135 100644
--- a/server/controllers/oidc.js
+++ b/server/controllers/oidc.js
@@ -1,4 +1,5 @@
 import axios from 'axios';
+import {Buffer} from 'buffer';
 import { randomUUID } from 'crypto';
 import pkceChallenge from "pkce-challenge";
 
@@ -16,7 +17,7 @@ const configValidation = () => {
 }
 
 const oidcSignIn = async (ctx) => {
-  const { state } = ctx.query;
+  let { state } = ctx.query;
   const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPES, OIDC_AUTHORIZATION_ENDPOINT } = configValidation();
 
   // Generate code verifier and code challenge
@@ -26,6 +27,11 @@ const oidcSignIn = async (ctx) => {
   // Store the code verifier in the session
   ctx.session.codeVerifier = codeVerifier;
 
+  if (!state) {
+    state = crypto.getRandomValues(Buffer.alloc(32)).toString('base64url');
+  }
+  ctx.session.oidcState = state;
+
   const params = new URLSearchParams();
   params.append('response_type', 'code');
   params.append('client_id', OIDC_CLIENT_ID);
@@ -51,6 +57,9 @@ const oidcSignInCallback = async (ctx) => {
   if (!ctx.query.code) {
     return ctx.send(oauthService.renderSignUpError(`code Not Found`))
   }
+  if (!ctx.query.state || ctx.query.state !== ctx.session.oidcState) {
+    return ctx.send(oauthService.renderSignUpError(`Invalid state`))
+  }
 
   const params = new URLSearchParams();
   params.append('code', ctx.query.code);