Are you adding state as the auth url query parameter as opposed to the redirect URL? See this post for context: