The consent session id is exposed and fixed in the consent flow. So there will be a session fixation attack?

1. visit http://localhost/protected-resource, redirected to consent uri: http://consent/login?consent=75343096-e5c2-4903-845f-ac2d73087d8f

2. send the consent uri to victim, victim logged in, get an error(cuz csrf token not found)

3. attacker visit callback url with the same consent session id:

http://oauth2/oauth2/auth?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fcallback&client_id=437dacfb-6fe4-4245-8548-4ee01de2297d&nonce=8fae995796fd1b81f4eab5af4b904199&state=ce8f8c4e388dedea8bffeb7ad4ce7987&scope=openid&consent=75343096-e5c2-4903-845f-ac2d73087d8f