Based on the information provided in the knowledge sources, I can address your question about the state parameter in OAuth 2.0 and Ory's implementation. You are correct that according to the OAuth 2.0 standard, the state parameter is not strictly required. However, Ory's implementation, which is based on the Ory Fosite library, enforces the use of the state parameter as a security measure. According to the [OAuth 2.0 security overview](https://www.ory.sh/docs/hydra/security-architecture), Ory enforces "random states" as one of its security principles: "Enforcing random states: Without a random-looking state or OpenID Connect nonce the request will fail." This is implemented as a security feature to prevent cross-site request forgery (CSRF) attacks. The state parameter helps to maintain the security of the OAuth 2.0 flow by ensuring that the authorization request and response are linked and haven't been tampered with. Unfortunately, based on the provided knowledge sources, there doesn't appear to be a way to configure Ory's OAuth 2.0 implementation to support scenarios where the state parameter is not passed. The enforcement of the state parameter seems to be a deliberate design decision to enhance security. If you need to use Ory's OAuth 2.0 implementation, you would need to ensure that your client always includes a state parameter in the authorization request. If this is not possible in your use case, you may need to consider alternative OAuth 2.0 implementations that allow for more flexibility with the state parameter. It's worth noting that while the OAuth 2.0 standard doesn't require the state parameter, its use is strongly recommended for security reasons. Ory's strict enforcement of this parameter aligns with best practices for OAuth 2.0 security.