Interesting - Hard to know but maybe (seems unlikely) you can check to see if the state param is the same when returned from the authorization server as in the original request? Aside from that, I definitely recommend testing/comparing against one of our sample apps to see if you experience the same issue.