I'm pretty confident you're wrong there. The state param mentioned is a part of PKCE to verify to the originating source code that you've received the code. The original source of the request then can use that state and compare it to the starting request (or even use it to look it up) and then generate a verifier code to send to the token endpoint along with the code to exchange for tokens. This attempts to prevent a MITM attack by keeping something secret.I believe what you are actually wanting to discuss is the aud claim, or rather the audience claim.
No comments yet.