Merge branch 'main' into ihrpr/elicitation

Author: ihrpr

README.md

@@ -548,7 +548,7 @@ putMessageTool.disable()
 
 const upgradeAuthTool = server.tool(
   "upgradeAuth",
-  { permission: z.enum(["write', vadmin"])},
+  { permission: z.enum(["write', admin"])},
   // Any mutations here will automatically emit `listChanged` notifications
   async ({ permission }) => {
     const { ok, err, previous } = await upgradeAuthAndStoreToken(permission)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@modelcontextprotocol/sdk",
-  "version": "1.11.4",
+  "version": "1.12.2",
   "description": "Model Context Protocol implementation for TypeScript",
   "license": "MIT",
   "author": "Anthropic, PBC (https://anthropic.com)",

src/client/auth.test.ts

@@ -366,6 +366,31 @@ describe("OAuth Authorization", () => {
       expect(authorizationUrl.searchParams.has("scope")).toBe(false);
     });
 
+    it("includes state parameter when provided", async () => {
+      const { authorizationUrl } = await startAuthorization(
+        "https://auth.example.com",
+        {
+          clientInformation: validClientInfo,
+          redirectUrl: "http://localhost:3000/callback",
+          state: "foobar",
+        }
+      );
+
+      expect(authorizationUrl.searchParams.get("state")).toBe("foobar");
+    });
+
+    it("excludes state parameter when not provided", async () => {
+      const { authorizationUrl } = await startAuthorization(
+        "https://auth.example.com",
+        {
+          clientInformation: validClientInfo,
+          redirectUrl: "http://localhost:3000/callback",
+        }
+      );
+
+      expect(authorizationUrl.searchParams.has("state")).toBe(false);
+    });
+
     it("uses metadata authorization_endpoint when provided", async () => {
       const { authorizationUrl } = await startAuthorization(
         "https://auth.example.com",

src/client/auth.ts

@@ -21,6 +21,11 @@ export interface OAuthClientProvider {
    */
   get clientMetadata(): OAuthClientMetadata;
 
+  /**
+   * Returns a OAuth2 state parameter.
+   */
+  state?(): string | Promise<string>;
+
   /**
    * Loads information about this OAuth client, as registered already with the
    * server, or returns `undefined` if the client is not registered with the
@@ -162,10 +167,13 @@ export async function auth(
     }
   }
 
+  const state = provider.state ? await provider.state() : undefined;
+
   // Start new authorization flow
   const { authorizationUrl, codeVerifier } = await startAuthorization(authorizationServerUrl, {
     metadata,
     clientInformation,
+    state,
     redirectUrl: provider.redirectUrl,
     scope: scope || provider.clientMetadata.scope,
   });
@@ -301,11 +309,13 @@ export async function startAuthorization(
     clientInformation,
     redirectUrl,
     scope,
+    state,
   }: {
     metadata?: OAuthMetadata;
     clientInformation: OAuthClientInformation;
     redirectUrl: string | URL;
     scope?: string;
+    state?: string;
   },
 ): Promise<{ authorizationUrl: URL; codeVerifier: string }> {
   const responseType = "code";
@@ -347,6 +357,10 @@ export async function startAuthorization(
   );
   authorizationUrl.searchParams.set("redirect_uri", String(redirectUrl));
 
+  if (state) {
+    authorizationUrl.searchParams.set("state", state);
+  }
+
   if (scope) {
     authorizationUrl.searchParams.set("scope", scope);
   }

src/client/sse.ts

@@ -99,11 +99,11 @@ export class SSEClientTransport implements Transport {
   }
 
   private async _commonHeaders(): Promise<HeadersInit> {
-    const headers: HeadersInit = {};
+    const headers: HeadersInit = { ...this._requestInit?.headers };
     if (this._authProvider) {
       const tokens = await this._authProvider.tokens();
       if (tokens) {
-        headers["Authorization"] = `Bearer ${tokens.access_token}`;
+        (headers as Record<string, string>)["Authorization"] = `Bearer ${tokens.access_token}`;
       }
     }
 

src/examples/README.md

@@ -33,6 +33,12 @@ A full-featured interactive client that connects to a Streamable HTTP server, de
 npx tsx src/examples/client/simpleStreamableHttp.ts
 ```
 
+Example client with OAuth:
+
+```bash
+npx tsx src/examples/client/simpleOAuthClient.js
+```
+
 ### Backwards Compatible Client
 
 A client that implements backwards compatibility according to the [MCP specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#backwards-compatibility), allowing it to work with both new and legacy servers. This client demonstrates: