The error you mentioned typically occurs when the state parameter is missing and you are using an OIDC-conformant client. Usually this problem occurs when users bookmark the /login URL that /authorize redirects to and attempt to log in directly.
The endpoint that the client application should redirect to is /authorize which is the entry point for redirect-based flows (Authentication API Explorer).