When doing third-party oAuth2 authentication, you really should supply the state parameter to prevent forgery attacks. Usually, you hash something known, but variable to each authentication attempt, say clientID or timestamp.
I was considering hashing data.connection.fingerprint, which would mean one can avoid having to store the value used (before hashing) to the DB, but still allow easy comparison/verification.
Does anyone see any potential issue with this approach?