Skip to content

Add OAuth state parameter to authorization URL#216

Merged
jancurn merged 1 commit into
mainfrom
claude/fix-issue-214-AyuBd
May 8, 2026
Merged

Add OAuth state parameter to authorization URL#216
jancurn merged 1 commit into
mainfrom
claude/fix-issue-214-AyuBd

Conversation

@jancurn

@jancurn jancurn commented May 8, 2026
edited
Loading

Copy link
Copy Markdown
Member

Fixes #214

Summary

This change ensures that the OAuth authorization URL includes a state parameter when the SDK doesn't provide one. This fixes compatibility with authorization servers that require the state parameter, such as Ubersuggest.

Key Changes

  • Added import of randomBytes from the crypto module
  • Modified the redirectToAuthorization override in performOAuthFlow to inject a random 16-byte hex-encoded state parameter if one is not already present in the authorization URL
  • Updated CHANGELOG.md to document this fix

Implementation Details

  • The state parameter is generated using randomBytes(16).toString('hex'), providing a cryptographically secure random value
  • The parameter is only added if the authorization URL doesn't already contain a state parameter, avoiding conflicts with SDK-provided values
  • Per the implementation comment, while PKCE already provides CSRF protection for this flow (making state verification unnecessary), some production OAuth servers require the state parameter per RFC 6749 §4.1.1, even though OAuth 2.1 treats it as RECOMMENDED

https://claude.ai/code/session_01DvJvUuWwHBT4VWoUZoqFhL

@claude
Inject state on OAuth authorization URL for strict servers
c9deb48 
Some production MCP servers (e.g. Ubersuggest / Neil Patel) reject
authorization requests without a `state` parameter with `missing_state`,
because RFC 6749 §4.1.1 lets the authorization server require it.
@modelcontextprotocol/sdk does not include `state` when building the
URL, so `mcpc login` against those servers failed before reaching the
consent screen.

Inject a random `state` in the `redirectToAuthorization` override when
the SDK didn't supply one. PKCE already provides CSRF protection on
this flow, so the value does not need to be persisted or verified —
its sole purpose is server compatibility.

Fixes #214
@jancurn jancurn merged commit b917d46 into main May 8, 2026
6 checks passed
@jancurn jancurn deleted the claude/fix-issue-214-AyuBd branch May 8, 2026 08:55
@jancurn jancurn mentioned this pull request May 10, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth state parameter is missing, breaking authorization for strict servers (e.g. Ubersuggest)

3 participants

@jancurn @apify-service-account @claude