[Security] Require the "state" param by default

[dkarlovi]

Currently, the bundle allows for auth requests to be made without the "state" param which is technically correct as it is not required, only recommended.

But, it's a very strong recommendation (even in the specification) to include it, as it allows for protection against CSRF which becomes quite important.

Auth request without a state should be treated as an invalid request by default.

[Spomky]

Agreed.

I guess the modification to perfom is (at least) to set the enforce_state parameter to true in the configuration file or to force this parameter in the bundle extension (if not already set to false).