GET an authorization URL (without following redirects), extract the
code from the redirect Location header, and validate the RFC 9207
iss authorization-response parameter against the selected authorization
server's recorded issuer (mix-up attack protection required by the MCP
2025-11-25 / draft authorization spec). Throws when iss is missing while
authorization_response_iss_parameter_supported is true, or when it does
not match the recorded issuer (simple string comparison, no
normalization). The authorization code is NOT returned on rejection.
When expectedState is non-empty, the redirect state parameter is also
verified against it and the authorization code is discarded (a throw)
when it is missing or mismatched, per the MCP "Open Redirection" guidance
("MCP clients SHOULD use and verify state parameters ... and discard any
results that do not include or have a mismatch with the original state").
Passing an empty expectedState (the default) skips state verification.
GET an authorization URL (without following redirects), extract the code from the redirect Location header, and validate the RFC 9207 iss authorization-response parameter against the selected authorization server's recorded issuer (mix-up attack protection required by the MCP 2025-11-25 / draft authorization spec). Throws when iss is missing while authorization_response_iss_parameter_supported is true, or when it does not match the recorded issuer (simple string comparison, no normalization). The authorization code is NOT returned on rejection. When expectedState is non-empty, the redirect state parameter is also verified against it and the authorization code is discarded (a throw) when it is missing or mismatched, per the MCP "Open Redirection" guidance ("MCP clients SHOULD use and verify state parameters ... and discard any results that do not include or have a mismatch with the original state"). Passing an empty expectedState (the default) skips state verification.