We implemented state parameter check as the doc says: https://auth0.com/docs/protocols/oauth2/oauth-state, but later we turned on the google mfa (via rules) and the state check stopped working. Every time when user has redirected to the mfa screen, the state parameter is changing, and of course the state check will be failed.
How we check the state parameter during login+mfa process properly?
I apologize for the delayed response on this question. I would like to reopen the topic for discussion and provide some assistance if possible.
I am wondering if you are still running into this issue. If you are can you try to login in a private browsing tab? If that does not work then DMing me a HAR file may be the best option.