diff --git a/cmd/example-app/main.go b/cmd/example-app/main.go
index 327288410ace0b386b5dded50a3b4aa892fc7eba..a188dcccb05bca3f8b306714e9c24e7df50c0c88 100644
--- a/cmd/example-app/main.go
+++ b/cmd/example-app/main.go
@@ -23,6 +23,8 @@ import (
 	"golang.org/x/oauth2"
 )
 
+const exampleAppState = "I wish to wash my irish wristwatch"
+
 type app struct {
 	clientID     string
 	clientSecret string
@@ -241,9 +243,9 @@ func (a *app) handleLogin(w http.ResponseWriter, r *http.Request) {
 	scopes = append(scopes, "openid", "profile", "email")
 	if a.offlineAsScope {
 		scopes = append(scopes, "offline_access")
-		authCodeURL = a.oauth2Config(scopes).AuthCodeURL("")
+		authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState)
 	} else {
-		authCodeURL = a.oauth2Config(scopes).AuthCodeURL("", oauth2.AccessTypeOffline)
+		authCodeURL = a.oauth2Config(scopes).AuthCodeURL(exampleAppState, oauth2.AccessTypeOffline)
 	}
 	http.Redirect(w, r, authCodeURL, http.StatusSeeOther)
 }
@@ -254,6 +256,11 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if state := r.FormValue("state"); state != exampleAppState {
+		http.Error(w, fmt.Sprintf("expected state %q got %q", exampleAppState, state), http.StatusBadRequest)
+		return
+	}
+
 	code := r.FormValue("code")
 	refresh := r.FormValue("refresh_token")
 	var (