GET an authorization URL (without following redirects) and extract the
code query parameter from the Location response header.
When expectedState is non-empty, the state parameter returned in the
redirect is verified against it (MCP authorization "Open Redirection":
"MCP clients SHOULD use and verify state parameters in the authorization
code flow and discard any results that do not include or have a mismatch
with the original state"). The authorization code is NOT returned (empty
string) when the returned state is missing or does not match. Passing an
empty expectedState (the default) skips state verification.
GET an authorization URL (without following redirects) and extract the code query parameter from the Location response header.
When expectedState is non-empty, the state parameter returned in the redirect is verified against it (MCP authorization "Open Redirection": "MCP clients SHOULD use and verify state parameters in the authorization code flow and discard any results that do not include or have a mismatch with the original state"). The authorization code is NOT returned (empty string) when the returned state is missing or does not match. Passing an empty expectedState (the default) skips state verification.