Why does STATE_PARAMETER is always False ?

Hi. I am having troubles to make a GitHub OAuth2 workflow working. I always get the same error: social_core.exceptions.AuthFailed: Authentication failed: The code passed is incorrect or expired.

I am not sure it is related, but I noticed that STATE_PARAMETER (although being set as True for GitHub), is always set to False by this library. Why ? And what the comment is actually implying ? I couldn't find any documentation about it.

        # skip checking state by setting following params to False
        # it is responsibility of front-end to check state
        # TODO: maybe create an additional resource, where front-end will
        # store the state before making a call to oauth provider
        # so server can save it in session and consequently check it before
        # sending request to acquire access token.
        # In case of token authentication we need a way to store an anonymous
        # session to do it.
        self.request.backend.REDIRECT_STATE = False
        self.request.backend.STATE_PARAMETER = False

My workflow is the following:

a frontend SPA has a button pointing to https://github.com/login/oauth/authorize with correct parameters (including state built on page loading).
once authorized, it is redirected by GitHub to frontend, with code and state, where I can make a post with all code, provider, state.
POST request is made to /auth/social/token/
Django backend receives request, and says: Authentication failed: The code passed is incorrect or expired. (in the auth_complete method of BaseOAuth2 class inside social_core.

Thanks!

st4lk / django-rest-social-auth

Why does STATE_PARAMETER is always False ? #135