Wrong OAuth anti-forgery unique session token generation

[pwargulak]

Hello,

there is this generate_state method in oauth.py:

def generate_state(self):
        """
        Generates a state which is required during the OAuth sign-in process
        """
        return jwt.encode(
            request.args.to_dict(flat=False),
            self.appbuilder.app.config["SECRET_KEY"],
            algorithm="HS256",
        )

It generates 'static' values for all sessions, meaning if you got one you will know values for all sessions for a server.

It seems the intention for this 'state' parameter is to be a CRSF protection, so it should be random.