As I understand so far there is no way to pass a state and get it back when creating an OAuth 2.0 flow with OpenID + Steam. But in the return url I'm getting a auto-generated nonce value which is encoded and encrypted (I think). I can't also pass a nonce value with the same param name so I wasn't able to find a way to pass a value with auth url and get it back with return url.
But I'm also not sure about: then why do we get a auto-generated nonce back? I think there should be a way to use it and verify the session/user somehow to prevent replay attacks etc.
Here is an example response from openid after authentication in Steam:
openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
openid.mode=id_res
openid.op_endpoint=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Flogin
openid.claimed_id=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561199054560800
openid.identity=https%3A%2F%2Fsteamcommunity.com%2Fopenid%2Fid%2F76561199054560800
openid.return_to=https%3A%2F%2Foauthdebugger.com%2Fdebug
openid.response_nonce=2024-03-24T02%3A01%3A42Z4f5eZhfY9R8MEqGpO0Fl5vogAsw%3D
openid.assoc_handle=1234567890
openid.signed=signed%2Cop_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle
openid.sig=uM417bEOsfKgyc%2B4fKKdZsLlZyk%3D
*In the return url I have these params
So how do I handle the verification of oauth flow with these values?
I have tried to pass a state and nonce but were not able to get it back with the response.