Summary

Fixes #143 - OIDC login fails with Authelia due to missing state parameter.

Problem

Authelia requires the state parameter in OIDC authorization requests (minimum 8 characters for entropy). The previous implementation didn’t include this parameter, causing invalid_state errors.

Changes

• Added generate_state/0 function to create cryptographically secure 32-byte state values
• Store state in session alongside PKCE verifier during authorization
• Validate returned state matches stored state on callback (CSRF protection)
• Include state parameter in Oidcc.create_redirect_url options

/claim #143