Imagine a situation that the client doesn't provide state parameter but is using PKCE method.
How CSRF attack can be performed?
Is there any need for the state parameter if the client is using PKCE?
I read https://security.stackexchange.com/a/215027 but it didn't provide a good example.
The state parameter, is something that the client validates and unfortunately, not every client implementation validates the state parameter properly. So it is a risk letting the clients be responsible for this.
PKCE is validated by the authorization server and probably they do a better job of verifying this than letting the clients do it.
So I think they both compliment each other, so if one of the parties involved forgets to validate, then the other protection will still cover it.
I recently blogged about the state and nonce parameter here: