Comment by madeofpalk

At the least you're supposed to validate the at the returning "state" parameter is the same value as what you sent (using cookies or local storage).

Ideally you would 'consume' the token before redirecting, and not send it to the second redirecting url.