The 'state' object holds a timestamp. This is verified when a code is delivered after third party authentication.
When this fails an INVALID_REQUEST_URI error is returned:
(e.g. OpenIdConnectProvider line 123)
However, expected behaviour is probably triggering reauthentication to self-heal this. Yet the authenticationresource does not see this as so, it only does so with interacton_required and login_required...
It would be best if this were to trigger a reauthenticate, since that self-fixes things (ideally)