feat(oauth): non-blocking auth flow for AI agents #31
+1,966
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add McpCliOAuthProvider implementing OAuthClientProvider interface
- File-based token storage in ~/.mcp-cli/{tokens,clients,verifiers}
- Support authorization_code and client_credentials grant types
- Auto-create OAuth provider for all HTTP servers (enables server-initiated OAuth)
- Handle OAuth callback with local HTTP server on configurable port
- Cross-platform browser opening for authorization flow
- Detect OAuth errors from UnauthorizedError and invalid_token responses
This enables MCP servers like Linear that require OAuth authentication.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Start callback server BEFORE opening browser to fix race condition where browser redirects before server is ready - Add allowInteractiveAuth option to disable OAuth prompts when listing multiple servers (prevents multiple browsers opening) - Show helpful "requires authentication" message for unauthenticated servers when listing, with command to authenticate individually - Export AuthRequiredError and ConnectOptions from client module Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add port fallback mechanism: tries 80 → 8080 → 3000 → 8095 → random - Port 80 as default with standard URL format (http://localhost/callback) - Add pretty styled HTML pages for success/error callbacks - Add callbackPorts config option for custom port fallback list - Pre-start callback server to determine actual port before auth flow - Add comprehensive tests for new port fallback features Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When the callback server port changes between sessions (e.g., port 3000 was used during registration but port 8080 is available now), the OAuth authorization would fail with "Invalid redirect_uri" because the server expects the originally registered redirect_uri. Changes: - clientInformation() now validates stored redirect_uris match current redirectUrl, invalidating stale registrations that would cause errors - redirectToAuthorization() reuses pre-started callback server instead of starting a new one, ensuring consistent port usage throughout the OAuth flow Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Split the 850-line oauth.ts into smaller, focused modules: - types.ts: Interfaces (OAuthConfig, OAuthCallbackResult) and constants - storage.ts: File storage utilities for tokens, clients, verifiers - browser.ts: Cross-platform browser opening utility - callback-server.ts: HTTP callback server with HTML templates - provider.ts: Main McpCliOAuthProvider class - index.ts: Re-exports for backwards compatibility Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CLI NEVER opens browser - always returns auth URL for AI agents. Key changes: - Removed allowInteractiveAuth option entirely (CLI is for AI agents) - redirectToAuthorization() now captures auth URL, never opens browser - AuthRequiredError includes authorization URL for immediate action - Callback server runs in background (5 min timeout) - CLI returns immediately - List command shows working servers + auth URLs for servers needing login - Random port by default to avoid conflicts with multiple OAuth servers - Added comprehensive OAuth configuration docs to README This builds on the previous OAuth commits in this branch.
|
@philschmid it doesn't work, the callback server is stopped before it starts to listen. Example output: Since this is in your PR and branch now, here's my Claude's plan to fix it in case it's helpful: Claude's planDetails |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Continuation of #22 with improvements based on review feedback.
Key change from PR #22: CLI now NEVER opens browser - always returns auth URL for AI agents.
What's Different from #22
allowInteractiveAuthChanges
allowInteractiveAuthentirely - CLI is designed for AI agentsredirectToAuthorization()captures auth URL - never opens browserAuthRequiredErrorincludes authorization URL for immediate actionPrevious OAuth commits in this branch (from #22)
Testing
All 232 tests pass, lint clean.
cc @attehuhtakangas - would appreciate if you could test this version! The main difference is that it never tries to open a browser, which is better suited for AI agent usage.