WP OAuth2 modifies state variable during authentication

When authenticating vs WP OAuth2 server using ‘authorization code’ flow, the base64 encoded state parameter is incorrectly modified by WP OAuth2 server. The redirect from my client code looks something like this:

https://www.mysite.com/oauth/authorize?response_type=code&client_id=xxxxxxxxxxxxxxxxxxxx&state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343%3D&redirect_uri=https://localhost:8080/login/oauth2/code/myclientname

When WP Oauth2 server provides the code for the next step in the flow, my client code does a GET to its own login endpoint:

GET [https://localhost:8080]/login/oauth2/code/myclientname?code=code_provided_by_WP_OAuth2_server&state=affffff1233414313d9d9d9d_adddefefasdfadsfeadf2343&iframe=break

The %3D has been stripped.

%3D is base64 encoded ‘=’ which the state parameter value is padded with if it does not reach a certain length. Some client libraries will accept the padding character’s removal and others will not. Mine doesn’t. I worked around it by generating a hex encoded state parameter parameter value instead and that works.

But WP OAuth2 server should send back the state in its exact original form so that finding the saved request at the other end does not fail.