Add OAuth 2.0 support to HTTP MCP bridge (Claude Code http bridge support)#104
Merged
Add OAuth 2.0 support to HTTP MCP bridge (Claude Code http bridge support)#104
Conversation
- Implement RFC9728 Protected Resource Metadata - Implement RFC7591 Dynamic Client Registration - Add authorize endpoint with auto-approve for existing sessions - Add token endpoint for bearer token exchange - Add HTML login page for web-based authentication - Add oauthHandler module with OAuth utilities and handlers - Support both token and username/password authentication - Local-only OAuth (127.0.0.1), suitable for development bridge
Contributor
Author
|
augment review |
🤖 Augment PR SummarySummary: Adds a lightweight, local-only OAuth 2.0 authorization-code flow to the HTTP MCP bridge to support browser/Claude Code style authorization before calling Changes:
Technical Notes: Issuer is derived as 🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
- Bind HTTP server to 127.0.0.1 only instead of all interfaces - Escape JSON in login page to prevent script tag break-out XSS - Validate client_id and redirect_uri against registered clients before redirect - Add origin check on /oauth/store-session endpoint for CSRF protection - Use token_endpoint_auth_method "none" (no client_secret) for local bridge
Contributor
Author
|
augment review |
- Validate redirect_uri in /oauth/token matches authorize request - Fix missing Content-Type headers in error responses - Validate backend_url is a valid URL to prevent prototype pollution
Contributor
Author
|
augment review |
- Accept /mcp and /mcp/ paths for backward compatibility with trailing slash clients - Bind OAuth codes to client_id to prevent cross-client code redemption - Validate client_id in /oauth/token matches authorize request
Contributor
Author
|
augment review |
- Require Origin/Referer header in /oauth/store-session (reject if missing) - Validate response_type=code in /oauth/authorize endpoint
Contributor
Author
|
Augment review |
- Add cleanupExpiredTokens() called on token issuance to prevent unbounded growth - Restrict backend_url to http/https schemes only (reject file:, data:, etc)
Contributor
Author
|
augment review |
| if (existingAuth && existingAuth.entry && existingAuth.entry.sessionId) { | ||
| // Auto-generate code and redirect | ||
| const code = generateCode(); | ||
| pendingCodes.set(code, { |
There was a problem hiding this comment.
pendingCodes entries only get removed on successful token exchange (or if the code is presented to /oauth/token after expiry), so unredeemed auth codes can accumulate in-memory indefinitely. Consider adding some periodic/age-based pruning for pendingCodes as well (similar risk applies to registeredClients).
🤖 Was this useful? React with 👍 or 👎
m1rl0k
added a commit
that referenced
this pull request
Mar 1, 2026
Add OAuth 2.0 support to HTTP MCP bridge (Claude Code http bridge support)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a lightweight OAuth 2.0 layer to the HTTP MCP bridge to support browser/Claude Code style “local” authorization flows.
Changes:
Introduced OAuth endpoints alongside /mcp: metadata (/.well-known/oauth-authorization-server), dynamic client registration (/oauth/register), authorization (/oauth/authorize), token exchange (/oauth/token), and a helper (/oauth/store-session).
Added oauthHandler module to generate codes/tokens, manage in-memory stores, and implement endpoint handlers.
Implemented RFC9728-style authorization server metadata and RFC7591-style dynamic client registration responses.
Added an HTML login page that can authenticate to the Context Engine backend via token or username/password and then issue an auth code.
Updated the HTTP server routing to dispatch OAuth paths and keep the existing MCP POST behavior for backward compatibility.
Technical Notes: Issuer is currently derived as http://127.0.0.1:${port}; tokens/codes are stored in-process with simple time-based expiry.