I am working with a RADIUS server (whose source code I don't have) whose response to a RADIUS Authentication Request also contains the attributes sent with the request.
However, I was looking at the source code of tinyradius and it does not seem to copy all the attributes from request packet while generating the response packet. It only copies Attribute number 33 (STATE attribute) if one exists.
RadiusClients seem to accept either responses. What is the right thing to do?
No, RADIUS responses should not contain all the request attributes.
State is special, it can be used to link multiple rounds of requests/responses together.
The two main use cases for State are OTP authentication, where the password and the OTP code are sent over two or more rounds, or EAP authentication which again occurs over multiple rounds.
Without the state attribute, there's no way to link an Access-Challenge, and a subsequent Access-Request together.
Note: There's no specification what to do with state, it's just used to tie packets together. In FreeRADIUS we maintain a list of 'session-state' attributes, which are available to policies in all rounds of a multi-round authentication attempt.