facebook: pass state directly instead of encoding into redirect URL

...so the redirect URL can match the Strict Mode whitelist.
https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/

README.md

@@ -312,6 +312,10 @@ you have it as a relative directory. pip requires fully qualified directories.
 
 Changelog
 ---
+### 1.11 - unreleased
+* Facebook
+    * Pass `state` to the initial OAuth endpoint directly, instead of encoding it into the redirect URL, so the redirect can [match the Strict Mode whitelist](https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/).
+
 ### 1.10 - 2017-12-10
 Mostly just internal changes to webutil to support granary v1.10.
 

oauth_dropins/facebook.py

@@ -34,6 +34,7 @@
     'client_id=%(client_id)s',
     # redirect_uri here must be the same in the access token request!
     'redirect_uri=%(redirect_uri)s',
+    'state=%(state)s',
     'response_type=code',
     )))
 # https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#exchangecode
@@ -143,8 +144,9 @@ def redirect_url(self, state=None, app_id=None):
       'scope': self.scope,
       # TODO: CSRF protection identifier.
       # http://developers.facebook.com/docs/authentication/
-      'redirect_uri': urllib.quote_plus(self.to_url(state=state)),
-      })
+      'redirect_uri': urllib.quote_plus(self.to_url()),
+      'state': state,
+    })
 
 
 class CallbackHandler(handlers.CallbackHandler):
@@ -160,7 +162,7 @@ def get(self):
       'auth_code': auth_code,
       'client_id': appengine_config.FACEBOOK_APP_ID,
       'client_secret': appengine_config.FACEBOOK_APP_SECRET,
-      'redirect_uri': urllib.quote_plus(self.request_url_with_state()),
+      'redirect_uri': urllib.quote_plus(self.request.path_url),
       }
     try:
       resp = json.loads(util.urlopen(url).read())