outpost/proxyv2: use fallback url if state is missing

[chetan]

Details

Occasionally when opening a site protected w/ an outpost and while already logged in, an old cookie (I think?) on the protected hostname causes a session mismatch, even though a valid session is available on the auth host.

{"event":"mismatched session ID","is":"UOQAE7NDSD3I7NIBK7YZLNUHIYS...","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"provider-foo","should":"ZGFF27AG5NQMIJGOHVYK6EU....","timestamp":"2026-03-10T15:04:51Z"}
{"event":"invalid state","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"provider-foo","timestamp":"2026-03-10T15:04:51Z"}
{"event":"mismatched session ID","is":"UOQAE7NDSD3I7NIBK7YZLNUHIYS...","level":"warning","logger":"authentik.outpost.proxyv2.application","name":"provider-foo","should":"ZGFF27AG5NQMIJGOHVYK6EU...","timestamp":"2026-03-10T15:04:51Z"}
{"event":"/outpost.goauthentik.io/callback?X-authentik-auth-callback=true&code=b56...snip...&state=ey...snip...","host":"hub.bixby.io","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"provider-foo","remote":"172.18.0.43:55790","runtime":"0.361","scheme":"http","size":0,"status":400,"timestamp":"2026-03-10T15:04:51Z","user":"chetan","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0"}

Instead of failing with 400 Bad Request, we should always redirect the user back to the app as a fallback, so that the auth process can start again (the current workaround when you see bad request).

Closes #10848

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	66bd0b5
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69b061992c96e300075c0a2f
😎 Deploy Preview	https://deploy-preview-20831--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.41%. Comparing base (95f1d21) to head (66bd0b5).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20831      +/-   ##
==========================================
- Coverage   93.45%   93.41%   -0.04%     
==========================================
  Files         993      993              
  Lines       55906    55968      +62     
==========================================
+ Hits        52245    52282      +37     
- Misses       3661     3686      +25     

Flag	Coverage Δ
conformance	37.54% <ø> (-0.05%)	⬇️
e2e	43.05% <ø> (-0.05%)	⬇️
integration	22.24% <ø> (-0.08%)	⬇️
unit	91.62% <ø> (+<0.01%)	⬆️
unit-migrate	91.71% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.