OIDC State parameter not present in Oauth2 authorisation request

[AlexGiroud]

I was trying to use Chiefonboarding with our OIDC provider and was stuck getting an error : The authentication request has an invalid 'state' parameter.

After some digging, I've found that this parameter is not required in OIDC spec but recommended (to mitigate CSRF attacks) and some OIDC providers require it (like Okta for example https://developer.okta.com/docs/reference/api/oidc/#request-parameters)

It would be nice to have it for the added security and to broaden OIDC provider options

[GDay]

Good point. Probably a good idea to just migrate to allauth to get this and potential other issues resolved. It's currently a custom setup and I would likely be more at ease with a battle tested package to avoid having more things come up. I will add it to my list of things to do.