Possible CSRF security issue in OAuth2

The OAuth2 Adapter (used for a lot of Providers) does not require the presence of the state even if supportRequestState is set which allows some CSRF.

Version and provider

The problem is present in the current version v3.10.0
It affects a lot of providers as it is in the OAuth2 base class.

Reproduction

If you intercept the returning request which has the code and state URL parameters set, strip the state parameter and give it to a user with a different browser (where $this->getStoredData('authorization_state') is null because the user has no session).
The check$this->getStoredData('authorization_state') != $state does not work as expected, the authorization is accepted.

I think the check should be extended to something like (!$state || $this->getStoredData('authorization_state') != $state) to require a state in this case.

The specific line is