Add support for custom state and nonce parameters in OAuth2 authorization

- Add optional state parameter support to OAuth2Provider constructor
- Add optional nonce parameter support to OAuth2Provider constructor
- Use custom state parameter if provided, otherwise generate UUID (maintains backward compatibility)
- Include nonce parameter in authorization URL when provided
- Both parameters are properly URL-encoded for security

This enables developers to:
- Pass custom state values for enhanced CSRF protection
- Include nonce parameter for OpenID Connect ID token verification
- Maintain existing behavior when parameters are not provided

Note: The existing commented-out state verification code should be
uncommented and updated to properly validate returned state parameters.

Author: yannicktrinh

Project/Sources/Classes/OAuth2Provider.4dm

@@ -70,15 +70,15 @@ The application secret that you created in the app registration portal for your
 /*
 Any valid existing token
 */
-		If (Value type($inParams.token.token)=Is object)
+		If ((Value type($inParams.token)=Is object) && (Value type($inParams.token.token)=Is object))
 			This.token:=$inParams.token.token
 		Else 
 			This.token:=Choose(Value type($inParams.token)=Is object; $inParams.token; Null)
 		End if 
 
 /*
 */
-		If (Value type($inParams.token.tokenExpiration)=Is text)
+		If ((Value type($inParams.token)=Is object) && (Value type($inParams.token.tokenExpiration)=Is text))
 			This.tokenExpiration:=$inParams.token.tokenExpiration
 		Else 
 			This.tokenExpiration:=Choose(Value type($inParams.tokenExpiration)=Is text; $inParams.tokenExpiration; Null)
@@ -89,7 +89,16 @@ Any valid existing token
 		This:C1470.timeout:=Choose:C955(Value type:C1509($inParams.timeout)=Is undefined:K8:13; 120; Num:C11($inParams.timeout))
 
 	End if 
-	
+/*
+A unique string value that is used to maintain state between the request and response. Can be used to mitigate CSRF attacks.
+*/
+		This:C1470.state:=String:C10($inParams.state)
+		
+/*
+A random value used by the app to verify the ID token. Used to prevent replay attacks.
+*/
+		This:C1470.nonce:=String:C10($inParams.nonce)
+			
 	This:C1470._finally()
 
 
@@ -99,9 +108,10 @@ Any valid existing token
 
 Function _OpenBrowserForAuthorisation()->$authorizationCode : Text
 
-	var $url; $redirectURI; $state; $scope : Text
+	var $url; $redirectURI; $state; $scope; $nonce : Text
 
-	$state:=Generate UUID:C1066
+	$state:=Choose:C955(Length:C16(This:C1470.state)>0; This:C1470.state; Generate UUID:C1066)
+	$nonce:=This:C1470.nonce
 	$redirectURI:=This:C1470.redirectURI
 	$url:=This:C1470.authenticateURI
 	$scope:=This:C1470.scope
@@ -134,7 +144,9 @@ Function _OpenBrowserForAuthorisation()->$authorizationCode : Text
 				$url+="&scope="+_urlEscape($scope)
 			End if 
 			$url+="&state="+String:C10($state)
-			
+			If (Length:C16(String:C10($nonce))>0)
+				$url+="&nonce="+_urlEscape($nonce)
+			End if			
 			Use (Storage:C1525)
 				OB REMOVE:C1226(Storage:C1525; "token")
 				Storage:C1525.params:=New shared object:C1526("redirectURI"; $redirectURI)