Address review: clarify iss migration note, make callback getters properties

Kludex · Kludex · commit 7eeee6cd3113 · 2026-06-20T17:14:30.000+02:00
- migration.md: spell out that omitting iss raises OAuthFlowError against servers advertising authorization_response_iss_parameter_supported, rather than merely disabling the check. - simple-auth-client example: convert get_state/get_iss to @Property.
diff --git a/docs/migration.md b/docs/migration.md
@@ -78,7 +78,7 @@ async def callback_handler() -> AuthorizationCodeResult:
     )
 ```
 
-Forward the `iss` query parameter from the redirect so the validation can run; omitting it disables the issuer check for servers that send `iss`.
+Forward the `iss` query parameter from the redirect so the validation can run: omitting it makes the flow fail with `OAuthFlowError` against servers that advertise `authorization_response_iss_parameter_supported`, and silently skips the check for servers that send `iss` without advertising it.
 
 ### `get_session_id` callback removed from `streamable_http_client`
 
diff --git a/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py b/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py
@@ -157,12 +157,14 @@ def wait_for_callback(self, timeout: int = 300):
             time.sleep(0.1)
         raise Exception("Timeout waiting for OAuth callback")
 
-    def get_state(self):
-        """Get the received state parameter."""
+    @property
+    def state(self):
+        """The received state parameter."""
         return self.callback_data["state"]
 
-    def get_iss(self):
-        """Get the received iss parameter."""
+    @property
+    def iss(self):
+        """The received iss parameter."""
         return self.callback_data["iss"]
 
 
@@ -193,9 +195,7 @@ async def callback_handler() -> AuthorizationCodeResult:
                 print("⏳ Waiting for authorization callback...")
                 try:
                     auth_code = callback_server.wait_for_callback(timeout=300)
-                    return AuthorizationCodeResult(
-                        code=auth_code, state=callback_server.get_state(), iss=callback_server.get_iss()
-                    )
+                    return AuthorizationCodeResult(code=auth_code, state=callback_server.state, iss=callback_server.iss)
                 finally:
                     callback_server.stop()
 

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ async def callback_handler() -> AuthorizationCodeResult:`
`78`	`78`	`)`
`79`	`79`	```
`80`	`80`
`81`		-Forward the `iss` query parameter from the redirect so the validation can run; omitting it disables the issuer check for servers that send `iss`.
	`81`	+Forward the `iss` query parameter from the redirect so the validation can run: omitting it makes the flow fail with `OAuthFlowError` against servers that advertise `authorization_response_iss_parameter_supported`, and silently skips the check for servers that send `iss` without advertising it.
`82`	`82`
`83`	`83`	### `get_session_id` callback removed from `streamable_http_client`
`84`	`84`