well true that you cant directly use a state parameter but the pretty crazy flow from twitter already makes it so the state param isnt really needed, because of the oauth token and secret, which works similar but slightly different.
after all when you request an oauth token for the login you store the token secret and give the user the twitter login site with the token.
also since the oauth token itself is a dynamic parameter in the first place you can also store that and do a check on that.
and the oauth verifier has to obviously be the correct one for any given oauth token and the same for the secret. the secret is used for signing after all and if the sig doesnt check out, twitter wont let the login do anything.
so while it’s not you that decides the dynamic parameters, there are parameters which are dynamic enough to basically work as state, but while being more complicated also slightly better since there’s also a secret value instead of just the public state.
