CSRF cookie is no longer encrypted

internal/oidc/provider/manager/manager.go

@@ -94,8 +94,7 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
 		upstreamStateEncoder.SetSerializer(securecookie.JSONEncoder{})
 
 		var csrfCookieEncoderHashKey = []byte("fake-csrf-hash-secret") // TODO replace this secret
-		var csrfCookieEncoderBlockKey = []byte("16-bytes-CSRF012")     // TODO replace this secret
+		var csrfCookieEncoder = securecookie.New(csrfCookieEncoderHashKey, nil)
-		var csrfCookieEncoder = securecookie.New(csrfCookieEncoderHashKey, csrfCookieEncoderBlockKey)
 		csrfCookieEncoder.SetSerializer(securecookie.JSONEncoder{})
 
 		m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer)