This is a Base64 URL encoded hash. This hash is generated by Base64 URL encoding a SHA_256 hash of `nonce` + `token.getSessionState()` + `token.getIssuedFor()` + `provider`
The token variable are obtained from the OIDC access token. Basically you are hashing the random nonce, the user session id, the client id, and the identity
Why is this hash included? We do this so that the auth server is guaranteed to know that the client application initiated the request and no other rogue app
just randomly asked for a user account to be linked to a specific provider. The auth server will first check to see if the user is logged in by checking the SSO
cookie set at login. It will then try to regenerate the hash based on the current login and match it up to the hash sent by the application.
After the account has been linked, the auth server will redirect back to the `redirect_uri`. If there is a problem servicing the link request,
the auth server may or may not redirect back to the `redirect_uri`. The browser may just end up at an error page instead of being redirected back
to the application. If there is an error condition and the auth server deems it safe enough to redirect back to the client app, an additional
`error` query parameter will be appended to the `redirect_uri`.
[WARNING]
While this API guarantees that the application initiated the request, it does not completely prevent CSRF attacks for this operation. The application
is still responsible for guarding against CSRF attacks target at itself.
==== Refreshing External Tokens
If you are using the external token generated by logging into the provider (i.e. a Facebook or Github token), you can refresh this token by re-initiating the account linking API.