feat(teams): per-user OAuth connect flow (Path B) broker connector (spec 074, MCP-1038)

[Dumbris]

Spec 074 · T5 — OAuthConnector (Path B)

Implements the per-user OAuth connect flow for upstreams whose AS does not support token exchange but does standard authorization-code OAuth. This is the connector engine + handlers; REST endpoints are T8 ([MCP-1041]).

Builds on T1 ([MCP-1034], CredentialStore #587) and T2 ([MCP-1035], auth_broker config #588), both merged.

What's added

internal/teams/broker/OAuthConnector (server edition only):

• BuildAuthorizationURL(userID) — generates a PKCE (S256) verifier/challenge and an opaque per-user state, tracks the pending flow in-memory with a TTL, and returns the upstream authorize URL. Explicit AS consent + unguessable state = confused-deputy avoidance (FR-011).
• Complete(ctx, state, code) — validates state (rejects unknown / expired / already-used), exchanges the code via the bound verifier at the token endpoint, and persists the per-user credential encrypted with ObtainedVia=connect_flow (FR-010). State is single-use.
• Deny(state, reason) — denied/failed callback clears the pending flow and stores nothing.
• Refresh(ctx, userID) — transparent refresh_token grant; preserves a non-rotated refresh token (FR-012).

Store key uses the existing oauth.GenerateServerKey(name,url) scheme. The HTTP token-exchange pattern mirrors the merged internal/teams/auth/oauth_providers.go.

Config

config.AuthBrokerConfig gains authorization_endpoint, now required when mode: oauth_connect (the connect flow needs the upstream authorize URL). token_exchange/entra_obo are unaffected.

Tests (TDD — test-first, watched RED → GREEN)

oauth_connector_test.go: PKCE URL build + per-flow uniqueness, full PKCE roundtrip (token endpoint receives a verifier whose S256 equals the advertised challenge), invalid/expired/one-time state, token-endpoint error → nothing stored, denied consent → nothing stored, refresh path (incl. preserve-on-no-rotation and no-refresh-token error), constructor validation. Plus auth_broker_test.go for the new config requirement.

Verification

• go test -tags server -race ./internal/teams/broker/ ./internal/config/ ✅
• go test -tags server ./internal/teams/... ✅
• go build -tags server ./cmd/mcpproxy ✅ and go build ./cmd/mcpproxy (personal unaffected) ✅
• gofmt -l clean, go vet -tags server clean

Docs note

The whole auth_broker block is still being assembled across spec-074 tasks and currently has no user-facing docs (T1/T2 merged the config block + store with godoc only; the user surface — REST/CLI — lands in T8/T9). Following that precedent, end-user docs for the connect flow belong with the surfacing tasks; the new config key carries thorough godoc here.

Related #1038

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	093093b
Status:	✅  Deploy successful!
Preview URL:	https://f43fc44c.mcpproxy-docs.pages.dev
Branch Preview URL:	https://074-t5-oauth-connector.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: 074-t5-oauth-connector

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (24 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 26968177071 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.