oidc: shouldn't the state be random?

[bbigras]

Shouldn't the state be random (or maybe derived from the session) to protect against attacks?

https://auth0.com/docs/protocols/oauth2/oauth-state

[OKinane]

Hello @Luzifer, any comment on this issue?

[Luzifer]

With the current structure of the repo / providers it's not possible as the provider to fulfill the login is chosen from the state. I've added this to the v1.x plan: #87