There seem to be quite a few question in the community about how to use the
state parameter in ouath2 to maintain / restore user state: State parameter and user redirection, Usage of the OAuth state parameter and the docs don’t really make the usage clear: https://auth0.com/docs/protocols/oauth2/oauth-state
My question and is how should state be encoded into the state vs stored in local storage? In other words why put the redirect URL into the state if we are going to compare the state value against something in local storage? Why not just encode a nonce and then if that matches, load the redirect URL from local storage?