Missing `state` in initial request + deny consent results in failure

[simara-svatopluk]

Describe the bug

If we don't specify state parameter in initial request and the authorization server requires consent and we deny consent, the application ends up with exception.

Exception details: https://pastebin.com/fqJzVuLr

To Reproduce

• Start sample DefaultAuthorizationServerApplication
• In browser visit http://auth-server:9000/oauth2/authorize?response_type=code&client_id=messaging-client&scope=message.read message.write&redirect_uri=http://127.0.0.1:8080/authorized (notice missing state parameter)
• Login with user1+password
• cancel
• Application returns 500

Expected behavior
The authorization server should probably redirect back to redirect_url and specify error: unauthorized

Sample

Sample is part of this library, and I'd like to thank for that!

[jgrandja]

Thanks for reporting this @simara-svatopluk ! This is now fixed via 4fbe06d

[simara-svatopluk]

@jgrandja I'd like to thank You for such fast reply & fix!