The OAuth2 specification RECOMMENDS setting the state to protect against
CSRF attacks. Some OAuth2 providers (e.g. ORY Hydra) refuse to
authenticate without the state set.
This is a cherry-pick of 852868419dc03d5dec79e75a3d7692ab670c927f.
Signed-off-by: haslersn <sebastian.hasler@gmx.net>
a88b4aff2a