Add state param to OAuth /authorize request

[msabramo]

Add state param to OAuth /authorize request; increases security and allows OAuth to work with Okta

Motivation and Context

Some OAuth servers, such as Okta require the state parameter to be present to help prevent CSRF attacks.
More info:

• upstream issue - Missing state in OAuth requests modelcontextprotocol/inspector#442
• discussion - https://github.com/orgs/mcp-auth/discussions/44
• article from Okta - https://support.okta.com/help/s/article/the-authentication-request-has-an-invalid-state-parameter?language=en_US

In particular, https://support.okta.com/help/s/article/the-authentication-request-has-an-invalid-state-parameter?language=en_US says:

Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint to prevent cross-site request forgery (CSRF). The OAuth 2.0 specification requires that clients protect their redirect URIs against CSRF by sending a value in the authorized request that binds the request to the user-agent's authenticated state. Using the state parameter is also a countermeasure to several other known attacks, as outlined in OAuth 2.0 Threat Model and Security Considerations.

How Has This Been Tested?

• npm run dev
• Connect to "whoami" SSE server at http://localhost:3001/sse
• using a corporate Okta instance as the authorization server.
• Was able to:
  • successfully login
  • execute a whoami tool
  • verify that the tool knew info about me from OIDC.

Breaking Changes

Hopefully none

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
  
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Cc: @xiaoyijun, @phuctm97, @jspahrsummers, @jerome3o-anthropic

[xiaoyijun]

Hi @msabramo, thanks for your PR! I am currently considering syncing the mcp-auth fork of inspector with the official repo. Would you be open to submitting this PR to the official inspector repo as well? Of course, I will first merge this PR into the current project.

I plan to do this after modelcontextprotocol#345 is merged. If there are further updates to the official inspector repo, would you be able to help keep things in sync there?

Previously, I was syncing PRs from my personal fork to the official repo, so submitting PRs to the official repo directly from this project (mcp-auth) is a bit inconvenient.

Thanks again for your contribution!

[msabramo]

Hi @msabramo, thanks for your PR! I am currently considering syncing the mcp-auth fork of inspector with the official repo. Would you be open to submitting this PR to the official inspector repo as well?

You're welcome! I'm happy to contribute to the very nice work you've done here to make auth much easier in MCP and I'd be happy to submit this to the official repo tool so that even more people can benefit from it!

I already have a few PRs in the official inspector repo:
https://github.com/modelcontextprotocol/inspector/pulls/msabramo

[xiaoyijun]

Hi @msabramo, some tests failed—could you take a look?

[msabramo]

Hi @msabramo, some tests failed—could you take a look?

Well, it looks like these same errors might be happening on main, as a result of a push you did 3 weeks ago?

https://github.com/mcp-auth/inspector/actions/runs/15085688162

Since I'm looking at it now, let me see if I can fix them and submit another PR for that.

[msabramo]

Hi @msabramo, some tests failed—could you take a look?

Well, it looks like these same errors might be happening on main, as a result of a push you did 3 weeks ago?

https://github.com/mcp-auth/inspector/actions/runs/15085688162

Since I'm looking at it now, let me see if I can fix them and submit another PR for that.

Hi @xiaoyijun, check out #4