/authis hardcoded, which was also the case for the Node.js client, but the test suite would have to grow a lot of smarts to see that in a HTML form.
stateparam to recover the session. Most frameworks use a cookie, though. But maybe there’s a method to recover, or alternatively, create your own login session type thing, though then we’re full circle: could just use the nonce as the session key. 🙃