fix: add state in access token response (implicit flow)

pkg/oidc/token.go

@@ -396,6 +396,7 @@ type AccessTokenResponse struct {
 	RefreshToken string `json:"refresh_token,omitempty" schema:"refresh_token,omitempty"`
 	ExpiresIn    uint64 `json:"expires_in,omitempty" schema:"expires_in,omitempty"`
 	IDToken      string `json:"id_token,omitempty" schema:"id_token,omitempty"`
+	State        string `json:"state,omitempty" schema:"state,omitempty"`
 }
 
 type JWTProfileAssertionClaims interface {

pkg/op/token.go

@@ -35,11 +35,13 @@ func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Cli
 		return nil, err
 	}
 
+	var state string
 	if authRequest, ok := request.(AuthRequest); ok {
 		err = creator.Storage().DeleteAuthRequest(ctx, authRequest.GetID())
 		if err != nil {
 			return nil, err
 		}
+		state = authRequest.GetState()
 	}
 
 	exp := uint64(validity.Seconds())
@@ -49,6 +51,7 @@ func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Cli
 		RefreshToken: newRefreshToken,
 		TokenType:    oidc.BearerToken,
 		ExpiresIn:    exp,
+		State:        state,
 	}, nil
 }