But this is a requirement of user oAuth (for any service) you have to leave your site to go to the service site to grant account access.
Depends what you mean by “state”.
If you mean “state” as in the “state parameter for CSRF attack defense”, I store it in the session. And a sessionID cookie is stored on the users computer in order to recall that session