Fix parameter passing via state query string

[chrt00]

The only URL parameter allowed is the state variable with the Stripe Connect API. This PR addresses this change by encapsulating data as well as the default state (http://www.thread-safe.com/2014/05/the-correct--useof-state-parameter-in.html) within a JWT.

[isaacsanders]

@chrt00 Is there any reason this library needs to do this, as opposed to applications implementing this?

I agree that this approach feels like the best way to pass state parameters, but that doesn't mean it should be in omniauth-stripe-connect.

It feels like unnecessary complexity for the library. Your application may want to do this, but others may have a different set of requirements.

However, if it can be demonstrated that other omniauth strategy providers are implementing this, and this is the approach that omniauth is mandating going forward, I am happy to change.

[isaacsanders]

@chrt00 Another way of approach it is: If this is a security concern (it is), a proposal should be made to the omniauth folks (or even just the omniauth-oauth2 folks), and an approach to ensuring data like this is secured should be determined from the top, because a lot of the Ruby-run web may be authenticating off of omniauth, and would have no approach to secured input.

[isaacsanders]

The author hasn't responded in a long while.