OAuth2: enable state parameter by default

[xi]

As a first, simple step to fix #161, I propose to enable the state parameter by default. In contrast to nonce and code_challenge, it is already implemented in lusitanian/oauth.

state is also the oldest and well established mechanism of the three, so I expect that most providers support it. If any provider does not support it, it can be disabled again by overwriting Service.needsStateParameterInAuthUrl().

I understand that this is a breaking change, but I think offering secure defaults is worth it.