Minor Changes
- #2286
1823aaeThanks @felixweinberger! - SEP-2468 follow-up:transport.finishAuth()gains aURLSearchParamsoverload (preferred) that extractscode/iss, validatesissfirst, and on mismatch throws a sanitizedIssuerMismatchError(no callbackerror_descriptiontext); callers remain responsible forstate. Behavior change for@modelcontextprotocol/server-legacy:mcpAuthRouternow advertisesauthorization_response_iss_parameter_supported(defaulttrue;ProxyOAuthServerProviderreportsfalse) and the bundled authorize handler appendsiss(RFC 9207) to everyres.redirect(...)yourOAuthServerProvider.authorize()issues to the client'sredirect_uri. If your provider redirects another way (res.writeHead, a separate consent-page response, or a standaloneauthorizationHandler({provider})withoutissuerUrl), appendparams.issuerasissyourself or setauthorizationResponseIssParameterSupported: false— otherwise RFC 9207-compliant clients (including this SDK) will reject the callback.