fix state handling in auth request

pkg/rp/default_rp.go

@@ -153,7 +153,11 @@ func (p *DefaultRP) AuthURL(state string, opts ...AuthURLOpt) string {
 //AuthURL is the `RelayingParty` interface implementation
 //extending the `AuthURL` method with a http redirect handler
 func (p *DefaultRP) AuthURLHandler(state string) http.HandlerFunc {
-	return AuthURLHandler(state, p)
+	return AuthURLHandler(
+		func() string {
+			return state
+		}, p,
+	)
 }
 
 //deprecated: Use CodeExchange func and provide a RelayingParty

pkg/rp/relaying_party.go

@@ -230,9 +230,10 @@ func AuthURL(state string, rp RelayingParty, opts ...AuthURLOpt) string {
 
 //AuthURLHandler extends the `AuthURL` method with a http redirect handler
 //including handling setting cookie for secure `state` transfer
-func AuthURLHandler(state string, rp RelayingParty) http.HandlerFunc {
+func AuthURLHandler(stateFn func() string, rp RelayingParty) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		opts := make([]AuthURLOpt, 0)
+		state := stateFn()
 		if err := trySetStateCookie(w, state, rp); err != nil {
 			http.Error(w, "failed to create state cookie: "+err.Error(), http.StatusUnauthorized)
 			return