diff --git a/services/idp/src/utils.js b/services/idp/src/utils.js
index dcbfaaedc4..5f900aae80 100644
--- a/services/idp/src/utils.js
+++ b/services/idp/src/utils.js
@@ -1,5 +1,16 @@
 export function withClientRequestState(obj) {
-  obj.state = Math.random().toString(36).substring(7);
+  obj.state = generateState(16);
 
   return obj;
 }
+
+function dec2hex (dec) {
+  return dec.toString(16).padStart(2, "0")
+}
+
+// generateState :: Integer -> String
+function generateState (len) {
+  var arr = new Uint8Array((len || 16) / 2)
+  window.crypto.getRandomValues(arr)
+  return Array.from(arr, dec2hex).join('')
+}