OIDC Issuer ignores session_state
Hi,
when using this demo script (OIDC public client with PKCE), LLNG gives a session_state in its "authorization_code" response but I can get access_token without including it in /token query
Do you consider this as a security issue ?