Might encoding the client_id in the state Parameter

1. Intercept the Authorization Request: Implement a filter or handler on the Authorization Server (AS) just before the user is redirected to the login page.
2. Encode the client_id: Take the original state value provided by the client, append the client_id, and then encode and sign this combined string (e.g., using Base64 and HMAC-SHA256, or by minting a small JWT). This creates a custom, extended state value.
3. Use Extended State: The AS proceeds with the flow, using this extended state value. The user authenticates.
4. Decode and Restore: When the user is redirected back to the AS's authorization endpoint, the AS extracts the custom state parameter, verifies its signature, decodes it, and reliably retrieves the original client_id and the client's original state value, all without touching the session.