Bug in OAuth2 callback: 'state' parameter not set when redirecting after user declines to authorize application.

Repro steps:

1. Application redirects to the MYOB AccountRight Live OAuth2 authorization endpoint at: 

   https://secure.myob.com/oauth2/v1/authorize>client_id={CLIENT_ID}&response_type=code&scope=CompanyFile&redirect_uri={REDIRECT_URI}&state={STATE}.

2. User logs into a MYOB account.
3. User clicks 'No Thanks'

Expected behavior:

After the user clicks 'No Thanks' the MYOB website would redirect back to the application w/ the state parameter intact:

https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied&state={STATE}

Actual behavior:

After the user clicks 'No Thanks' the MYOB website redirects back, but strips the state parameter from the query string.

https://dev.accountright.finagraphstrongbox.com/v1/oauth2/callback?error=access_denied

According to the RFC specification, the authorization provider is responsible for passing back the state parameter even for an error response. Please refer to  https://tools.ietf.org/html/rfc6749#section-4.1.2.

4.1.2.1. Error Response

 
RFC 6749                        OAuth 2.0                   October 2012


   state
         REQUIRED if a "state" parameter was present in the client
         authorization request.  The exact value received from the
         client.

   For example, the authorization server redirects the user-agent by
   sending the following HTTP response:

   HTTP/1.1 302 Found
   Location: https://client.example.com/cb?error=access_denied&state=xyz

 Not returning the state parameter opens up the endpoint to CSRF attacks. Is this bug being tracked and a fix planned?