Resolve question of entropy in client-generated state param at authorization

[jmandel]

Reported by Joseph Lorenzo Hall via http://wiki.siframework.org/BlueButtonPlus+Pull+API+Documentation+Consensus

https://github.com/blue-button/blue-button-plus-pull/blob/eb86bcfb02fad0c877b9c36976ee6bcd99b77749/index.html#L1492 leaves an open question

[jmandel]

@jricher I'd suggest we say "The state parameter SHOULD be used, with sufficient entropy for preventing cross-site request forgery." If you want to make a specific entropy recommendation (or requirements) in bits, let me know what you have in mind.

[jricher]

I'm fine with that -- what we ended up doing in OpenID Connect's latest draft is to say "sufficient entropy" and then list examples of "bad entropy", like a static value, increasing sequence of integers, and things like that.