I am using the Authorization Code flow where I proxy all calls to Auth0 through a backend service as described here: Backend For Frontend Authentication Pattern with Auth0 and ASP.NET Core. The main reason I do this is so that tokens are not exposed to the client/browser.
Before the /authorize call, I generate a random string and save it as a key in a dictionary. This dictionary is a singleton and therefore shared across all requests.
I validate the state in the callback by looking to see if it exists as a key in the dictionary.
The associated value from the dictionary stores user information that is otherwise not available in the callback.
Basically I just want to know if this is insecure given that ANY state parameter will be accepted in any callback? I can’t think of another way to achieve this given that we don’t have sessions enabled on our API.