The "state" parameter should be intended as an anti XSRF mechanism and the application should check between the session-stored Anti XSRF token and the one provided in the state parameter passed during the authentication flow. This is not covered by this PR.
Note: this functionality is not tested and could break the existing test case so, please, change it accordingly.
This fixes the above-mentioned vulnerability.
The "state" parameter should be intended as an anti XSRF mechanism and the application should check between the session-stored Anti XSRF token and the one provided in the state parameter passed during the authentication flow. This is not covered by this PR.
Note: this functionality is not tested and could break the existing test case so, please, change it accordingly.