The OAuth2 example does not use the state parameter

[aantron]

A state parameter that is somehow associated with the client's user agent (usually meaning, with a cookie) is necessary to protect the OAuth2 callback from CSRF-like attacks. The library code appears to support passing state around, but the example does not use state, and it does not appear to be pointed out in the library docs.