From c4c9e502cb3bd674659efd8cf8ee98c5c916e734 Mon Sep 17 00:00:00 2001
From: Dave Tonge <dave.tonge@momentumft.co.uk>
Date: Sat, 15 Sep 2018 10:07:59 +0200
Subject: [PATCH] fix: stop sending state on the authorisation code token grant
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This was added a long time ago as it was recommended by
an early ‘mix-up mitigation’ draft. It is now no longer the
recommended option as evidenced by the latest ‘oauth
security topics’ BCP.
---
 lib/client.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/client.js b/lib/client.js
index 5597b598..4ad5f57e 100644
--- a/lib/client.js
+++ b/lib/client.js
@@ -376,7 +376,6 @@ class Client {
         code: params.code,
         redirect_uri: redirectUri,
         code_verifier: checks.code_verifier,
-        state: checks.state,
       })
         .then(tokenset => this.decryptIdToken(tokenset))
         .then(tokenset => this.validateIdToken(tokenset, checks.nonce, 'token', checks.max_age))