state needs to be specific to the user that clicked the sign in link

[benatkin]

The state in here is a randomly generated value that can only be used once. This won't protect from an attacker, because the attacker can intercept the redirect back to the microauth service, and if they can get an unsuspecting user to click a link to it, the unsuspecting user will be logged in as them. I think a cookie or localStorage is needed because you'd need to get a user to click more than just a link to get them to set their cookie or localStorage to match the one from the link.

I used localStorage when I played around with it earlier this year but if I was writing a general purpose one, even with micro, I would probably use a cookie.