feat(oauth2-set-state): Allow set state in case it exists on oauth2 provider [#253]

Author: farnabaz

docs/schemes/oauth2.md

@@ -18,7 +18,8 @@ auth: {
       token_type: 'Bearer',
       redirect_uri: undefined,
       client_id: 'SET_ME',
-      token_key:  'access_token'
+      token_key:  'access_token',
+      state: 'UNIQUE_AND_NON_GUESSABLE'
     }
   }
 }
@@ -64,6 +65,11 @@ By default is set to `token_key: 'access_token'`. If you need to use the IdToken
 
 By default is set to `refresh_token_key: 'refresh_token'`. It automatically store the refresh_token, if it exists.
 
+### `state`
+
+By default is set to random generated string.  
+The primary reason for using the state parameter is to mitigate CSRF attacks. ([read more](https://auth0.com/docs/protocols/oauth2/oauth-state))
+
 ## Usage
 
 ```js

lib/schemes/oauth2.js

@@ -70,8 +70,10 @@ export default class Oauth2Scheme {
       client_id: this.options.client_id,
       redirect_uri: this._redirectURI,
       scope: this._scope,
-      state: randomString()
-    }
+      // Note: The primary reason for using the state parameter is to mitigate CSRF attacks.
+      // @see: https://auth0.com/docs/protocols/oauth2/oauth-state
+      state: this.options.state || randomString(),
+    };
 
     if (this.options.audience) {
       opts.audience = this.options.audience