OK, so there is your problem. The "state" parameter is designed to alert you to a possible CSRF attack: the returned value should match the passed value - basically the service should return the value you send to it (don't ask me how this protection actually works - I've never figured it out, but there we have it <g>).

Try removing the Send AddParam "state" from your OnBeforeLogin procedure in the DF code.

Rightly or wrongly (perhaps reflecting the fact that I clearly didn't really understand the issue <g>), the OAuth2 JavaScript component assigns the value of your DataFlex session cookie to the state parameter, but you are supplying an additional "state" parameter, which is confusing the service. The service is obviously returning the latter of these two, which does not match the one the component is expecting, which is what is going wrong. Just let the component do its thing (i.e. DO NOT supply that additional state parameter) and it should be OK I think.

Mike