Edit: Sorry! I overlooked @andreapiazza’s post in which the problem has already been reported as ID-8490. Though I’m not sure I would characterize our status as “working on it”. Please watch, vote, and comment, so we can get some attention on it.
You are not alone. I have seen this quite a few times in the community. I recommend logging this problem as a suggestion (our term for “feature request”) so you, and others who might stumble upon this thread, would have something formal to track. Could you please open a “suggestion” issue yourself in our open Jira (JAC) in the ECO project ? The title of this thread is a pretty good summary. Once you have the issue key, please let us know here so other folks can watch, vote, and comment.
Datetime ordering might be a quick solution (and, to be clear, I’m nowhere close to that codebase). But I wouldn’t consider it very robust; it depends on implied synchronization, which could make testing & troubleshooting nearly imposssible. My recommendation (when I’ve had an opportunity to talk to the engineering team) would be to return the original state parameter in the accessible-resources. Although the spec has no accessible-resources concept, I think that’s pretty close to the intent of the state parameter in the OAuth 2 spec.
Regardless, the solution is up to our OAuth team. As such, when posting on JAC, please make sure to state the problem clearly and separate it from proposed solutions, which are still helpful but only imply the problem.