Think I've figured out part of this. After user login, Drupal now calls the exact same redirect request using another query parameter check_logged_in=1.
The state error triggers because the check_logged_in request leaves out the state. I also think it expects a NULL response? But this was such a debugging rabbit hole I'm too tired to care at the moment.
I believe this can only be fixed in the main Social Auth module. I haven't seen the issue reported there. Came across this open issue while building my own Social Auth module for ArcGIS by copying Facebook's. Installed Google and reproduced the same results as described in this open issue which makes me think this problem is for all Social Auth modules, currently.
Slapped together a little patch for the main Social Auth module which solves the problem. New here but my boss at work says you guys call this "killing kittens".
In Social Auth: src/Controller/OAuth2ControllerBase.php at line 290
// Drupal checks callback requests to see if a user is logged in
$checkLogin = $this->request->getCurrentRequest()->query->get('check_logged_in');
// If this is Drupal's check logged in request, ignore and exit fn
if($checkLogin == '1'){
return NULL;
}
If you're curious about what's going on with the check_logged_in stuff, I found it in:
https://api.drupal.org/api/drupal/core%21modules%21user%21src%21Authentication%21Provider%21Cookie.php/function/Cookie%3A%3AaddCheckToUrl
and
https://api.drupal.org/api/drupal/core%21modules%21user%21user.module/function/user_login_finalize