8000 Support granular OAuth2 flow with state and verifier persistence · Issue #992 · modelcontextprotocol/python-sdk · GitHub
[go: up one dir, main page]
Skip to content
Support granular OAuth2 flow with state and verifier persistence #992
New issue
New issue
Open
Open
Support granular OAuth2 flow with state and verifier persistence#992
@andrey-star

Description

@andrey-star
andrey-star
opened on Jun 20, 2025

Currently, the OAuth2 PKCE implementation in src/mcp/client/auth.py stores the state and code_verifier in memory only, which prevents splitting the OAuth authorization flow across multiple processes.

This is common for apps with servers split between frontend and backend where BE cannot be blocked on a UI action. The UI first requests the server to generate the link, and the server processes the callback separately once the user follows it. The state and code_verifier are persisted between the calls with a short expiration time.

Proposal:

  • Add support for persisting the state and code_verifier values, e.g. through the redirectHandler, and looking them up in the callbackHandler for the final token exchange.
  • Allowing more granular execution of the flow - generateUrl, and exchangeToken should be callable individually.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0