jtroussard
commented
4 years ago I cannot speak for the original developer but I think the idea here is that if the program passes the state, it inherently manages that value and doesn't need to set the OAuth2Session class variable. Additionally the method returns the same state, perhaps for verification. I'll admit on the surface this does appears odd, thanks for pointing this peculiarity out.
Ultimately if this isn't causing a bug, the design can stay.
If state is not passed to OAuth2Session.authorization_url() a new state value is generated and assigned to self._state. If state is passed to authorization_url() then self._state is not updated.
Is this behaviour correct? Should self._state also be updated to match the authorization_url() passed state value?