Encoding claims in the OAuth 2 state parameter using a JWT is an Internet Draft
we last saw as https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-07
In the OAuth 2.0 Authorization protocol RFC 6749 , the Authorization Server SHOULD perform an exact string comparison of the "redirect_uri" parameter with the "redirect_uri" parameter registered by by the OAuth Client. This is essential for preventing token leakage to third parties in the OAuth Implicit Grant.
As a result of this OAuth Clients can not safely add extra query parameters to the "redirect_uri" parameter that encode additional client state information.
The Client MUST use the "state" parameter to encode both Cross-site request forgery protection and any other state information it wishes to preserve for itself regarding the Authorization Request.
This draft proposes a mechanism whereby multiple state attributes can be encoded into a JSON Web Token (JWT) RFC 7519 for use as the value of the "state" parameter.
There might be more information for this subject on one of the following: