The per-authorization state the proxy persists between /authorize and the
upstream callback: the client's dynamic redirect_uri and the client's own
state, keyed by a freshly minted opaque proxy state that is the only
state value sent upstream. The client's PKCE code_challenge and scope
are also retained so the upstream authorize redirect can be (re)built after a
consent-approval round-trip (confused-deputy mitigation).
The per-authorization state the proxy persists between /authorize and the upstream callback: the client's dynamic redirect_uri and the client's own state, keyed by a freshly minted opaque proxy state that is the only state value sent upstream. The client's PKCE code_challenge and scope are also retained so the upstream authorize redirect can be (re)built after a consent-approval round-trip (confused-deputy mitigation).