Comment 1 for bug 1900007

I dug quite a bit into this. It doesn't look like we've got a covert redirect vulnerability here. To be clear, there is a redirect (invitation) but it is limited to the specified resource on the server (not open redirection).
I don't quite see that as vulnerable.

Furthermore, the added "invitation" query parameter does not invalidate matching of the redirect_uri, as query parameters are allowed per
https://tools.ietf.org/html/rfc6749#section-3.1.2

However, I do agree that we should switch to use the state parameter instead, if only to follow recommendations
https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-registration/#per-request