Currently, the OAuth2 PKCE implementation in src/mcp/client/auth.py stores the state and code_verifier in memory only, which prevents splitting the OAuth authorization flow across multiple processes.

This is common for apps with servers split between frontend and backend where BE cannot be blocked on a UI action. The UI first requests the server to generate the link, and the server processes the callback separately once the user follows it. The state and code_verifier are persisted between the calls with a short expiration time.

Proposal:

• Add support for persisting the state and code_verifier values, e.g. through the redirectHandler, and looking them up in the callbackHandler for the final token exchange.
• Allowing more granular execution of the flow - generateUrl, and exchangeToken should be callable individually.