Fix session swapping vulnerability: upgrade OAuth state parameter to MUST

[Copilot]

The state parameter in the authorization code flow is specified as SHOULD, leaving MCP clients vulnerable to session swapping attacks. An attacker who completes their own authorization flow can inject the resulting authorization response into a victim's client, causing the victim to operate under the attacker's identity. PKCE alone doesn't prevent this—it binds the code to the client instance, not to the user agent session.

Changes

• state upgraded from SHOULD to MUST in the Open Redirection section, with requirements for cryptographic randomness and session binding per OAuth 2.1 §4.1.1
• Flow diagram updated to include state generation, transmission in authorization request/response, and verification on callback
• New "Session Integrity" subsection in Security Considerations describing the attack vector and specifying four concrete requirements: unique generation, session binding, response verification, and single-use with expiry

Defense-in-depth rationale

Mechanism	Protects against
PKCE	Authorization code injection (different client can't exchange the code)
state	Session swapping (response processed only in the session that initiated the request)

Both are needed. PKCE ensures the same client exchanges the code. state ensures the same user session processes the response.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.