During authorization code flow, allow to add parameter "state" to "/authorize?..." request

[aschrei-tricentis]

This package works great for a remote MCP server via streamable HTTP. I use it in Cursor AI via npx. However, currently, I have to use a workaround to make the authentication work. The reason is that this MCP server uses okta as identity provider and okta requires that the state parameter is included in every call to the "authorize" endpoint. It seems that this cannot be configured differently on okta side: https://devforum.okta.com/t/setting-for-requiring-state-parameter-in-request/25063

The workaround is to run a command "npx mcp-remote ..." before enabling the MCP server in cursor. Then I copy the "/authorize?.." url from the console output of "mcp-remote" and append "&state=someRandomValue". Then the login works and mcp-remote caches the access and refresh token. Then the MCP server can be enabled in cursor AI via "npx mcp-remote ..." and works perfectly fine.

[aschrei-tricentis]

If I see it correctly, a solution could be to implement the method "state()" of interface OAuthClientProvider in class NodeOAuthClientProvider and return a state if passed in as an option to mcp-remote. (or maybe a random value)

[aschrei-tricentis]

Thank you @mstrelex! I tested #101 end-to-end via MCP config in Cursor AI and it works now. No need for the workaround anymore if this PR would be merged.

[geelen]

Closed by merging #93 , released under v0.1.12

[aschrei-tricentis]

Awesome, thanks a lot! Tested it with v0.1.12 and now it works perfectly fine. 👍