feat: support oauth2 protected mcp servers#3
Conversation
I learned some new things during development & had to revise the spec.
Summary of ChangesHello @mKeRix, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances Toolscript's capabilities by integrating robust OAuth2 authentication for HTTP and SSE MCP servers. The primary goal is to enable seamless interaction with modern, protected APIs by providing a user-friendly CLI command for interactive authorization and automatic handling of token lifecycle. The changes are designed to be additive, ensuring backward compatibility while introducing a secure and efficient authentication mechanism. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3 +/- ##
==========================================
- Coverage 52.83% 52.34% -0.50%
==========================================
Files 25 32 +7
Lines 1709 2279 +570
Branches 105 136 +31
==========================================
+ Hits 903 1193 +290
- Misses 806 1086 +280 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Code Review
This pull request introduces a significant and well-architected feature to support OAuth2-protected MCP servers. The changes are extensive, including a new toolscript auth command for handling the Authorization Code flow, persistent token storage, and integration with the MCP SDK's OAuth capabilities. The code is well-structured, with good separation of concerns into new modules for OAuth providers, storage, and utilities. The addition of comprehensive unit, integration, and E2E tests is commendable.
However, I've identified a critical bug in the toolscript auth command's implementation that prevents the Authorization Code flow from completing successfully due to incorrect state management of the OAuth provider. I've also noted a discrepancy where the documentation and design files mention support for the Client Credentials flow, but the implementation for it appears to be missing.
Once these issues are addressed, this will be an excellent addition to the project.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This is a comprehensive pull request that adds significant new functionality for OAuth2 authentication. The changes are well-structured, with new logic organized into a dedicated oauth module, a new auth CLI command, and necessary updates to the gateway. The implementation smartly leverages the MCP SDK's capabilities, focusing on providing a persistent storage layer and a user-friendly command-line flow. The inclusion of detailed design documents and extensive tests (unit, integration, and E2E) is commendable. I've identified a couple of minor areas for improvement: a typo in a log message and some redundant code that can be cleaned up for better clarity. Overall, this is an excellent and well-executed feature.
# 1.0.0 (2025-12-01) ### Features * add config merging ([#5](#5)) ([4d58cb7](4d58cb7)) * add semantic tool search ([#2](#2)) ([cac523b](cac523b)) * allow filtering exposed tools ([#4](#4)) ([bd1d64c](bd1d64c)) * implement code mode ([#1](#1)) ([b3c4646](b3c4646)) * initial commit ([5477138](5477138)) * support oauth2 protected mcp servers ([#3](#3)) ([f5408d1](f5408d1))
# 1.0.0 (2025-12-01) ### Features * add config merging ([#5](#5)) ([4d58cb7](4d58cb7)) * add semantic tool search ([#2](#2)) ([cac523b](cac523b)) * allow filtering exposed tools ([#4](#4)) ([bd1d64c](bd1d64c)) * implement code mode ([#1](#1)) ([b3c4646](b3c4646)) * initial commit ([5477138](5477138)) * support oauth2 protected mcp servers ([#3](#3)) ([f5408d1](f5408d1))
|
🎉 This PR is included in version 1.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This change will allow toolscript to be used with MCP servers that require authentication via oauth2, specifically via the authorization code flow with dynamic client registration.