Allow defining state store for the Strategy

[kohtala]

The Strategy saves state between authorization and callback in session. This limits the use of SameSite on session cookie. User does not get back to the same session if it uses SameSite=Lax with response_mode=form_post or using SameSite=Strict for session cookie.

I looked at the Strategy.authenticate and it seems it is easy to restructure it such that the state storage implementation can be given as an option for the Strategy constructor. Much as the express-session allows implementing session stores to different needs.

I already did some prototyping. Any possibility of such a feature being included in openid-client?

[panva]

Unlikely, I will be removing the strategy from openid-client with the next major and extracting it to a package of its own.

[kohtala]

Good to know. Do you have any plan when that will happen?

I have a new feature to implement in application and the old strategy in the application would require keeping separate strategies for each redirect_uri which I'd rather not do. openid-client looks fantastic in comparison and does not have such a limit. I trust the new package will be as good.

[panva]

I have no ETA at the moment.

[kohtala]

Ok. Thanks. This helps me forward.

If you think the state store is something that could be taken into the new package, I hope I'll be able to offer a PR once you are ready. Or I could make a PR already here so it is there already when split to another package. I'd be glad to be of help.