My JS app calls for an OAuth 2 auth request our the docs - something like:
request
.get( 'https://auth.atlassian.com/authorize' )
.query('audience=api.atlassian.com')
.query('client_id=MY CLIENT ID')
.query('scope=read%3Ajira-user%20read%3Ajira-work%20write%3Ajira-work')
.query('redirect_uri=MY REDIRECT URI')
.query('state=MYCUSTOMSTATE')
.query('response_type=code')
.query('prompt=consent'
The request returns a page containing JS code based on the Auth0 libraries. When the browser finishes processing the page, it produces a response that contains this URL for the redirect to my redirect URI:
https://auth.atlassian.com/login?state=g6Fo2SAySldGUkZucnhFdk5WUThFVG1WLXhtUGt5X3RBRmJVRaN0aWTZIElqZ1lOdEtjUkkwb1M2bVZnNlFCLUU5UEFOM0FLUjhLo2NpZNkga1I2Q1Z3NzRGeGJIUDVqVG1Ka2xIeFljT2txWTZqQUM&client=MY CLIENT ID&protocol=oauth2&prompt=consent&audience=api.atlassian.com&scope=read%3Ajira-user%20read%3Ajira-work%20write%3Ajira-work&redirect_uri=MY REDIRECT URI&response_type=code
As you can see, this is a different STATE parameter, when the docs indicate it should be the same as the STATE I sent in the auth request. What's going on here?