Skip to content

fix(mcp): Upgrade SDK and add redirectUri config for OAuth callback #5940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
christso wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

fix(mcp): Upgrade SDK and add redirectUri config for OAuth callback #5940

christso wants to merge 4 commits into from

Conversation

@christso
Copy link
Contributor

@christso christso commented Dec 22, 2025
edited
Loading

Closes #5766

Summary

  • Upgrade MCP SDK to 1.25.1 to fix authorization URL bug
  • Add configurable redirectUri for OAuth callback (simpler than separate port/path)

Problem

  1. Wrong authorization URL: MCP SDK 1.15.1 incorrectly constructs the authorization URL by appending /authorize to the issuer URL instead of using authorization_endpoint from OAuth metadata.

  2. No callback config: Users cannot configure the OAuth callback URL to match what's registered on their OAuth server.

Solution

  1. Upgrade MCP SDK to 1.25.1 which correctly reads authorization_endpoint from OAuth discovery metadata.

  2. Add redirectUri config option: A single URI string that specifies the full callback URL. This is cleaner than separate port/path options and matches standard OAuth library patterns.

User Configuration

"mcp": {
  "<server-name>": {
    "type": "remote",
    "url": "https://<your-mcp-server>",
    "oauth": {
      "clientId": "your-client-id",
      "redirectUri": "http://127.0.0.1:8080/oauth/callback",
      "scope": "openid profile email"
    }
  }
}

If redirectUri is not specified, the default http://127.0.0.1:19876/mcp/oauth/callback is used.

Why redirectUri instead of callbackPort/callbackPath?

  • Simpler: Single config value vs two separate fields
  • Standard pattern: Matches how OAuth libraries/docs describe redirect URIs
  • Easier debugging: You see exactly what URL will be used
  • No security difference: A malicious actor with local machine access could intercept callbacks regardless of port restrictions

Test plan

  • Test OAuth flow works as before (no config changes)
  • Test configurable redirectUri
  • Unit tests for ensureRunning behavior with custom URIs

🤖 Generated with Claude Code

@christso christso changed the title feat: Add configurable redirectUri for MCP OAuth and upgrade SDK feat(mcp): Support OAuth when DCR fails via explicit client config Dec 22, 2025
@christso christso changed the title feat(mcp): Support OAuth when DCR fails via explicit client config feat(mcp): Add redirectUri config option and upgrade SDK to 1.25.1 Dec 22, 2025
@christso christso changed the title feat(mcp): Add redirectUri config option and upgrade SDK to 1.25.1 fix(mcp): Add configurable redirectUri and upgrade SDK to 1.25.1 Dec 22, 2025
@christso christso changed the title fix(mcp): Add configurable redirectUri and upgrade SDK to 1.25.1 fix(mcp): Upgrade SDK to fix auth URL and add redirectUri config Dec 22, 2025
@christso christso mentioned this pull request Dec 22, 2025
Open
@christso
Copy link
Contributor Author

christso commented Dec 25, 2025

Future Enhancement Note: Dynamic port allocation (binding to port 0 and letting the OS assign an available port, similar to VSCode's approach) could be explored in a future PR for environments without strict redirect URI requirements. This would eliminate port conflicts entirely. The redirectUri config added here would remain useful as an override for OAuth providers requiring exact URI matches.

@christso christso changed the title fix(mcp): Upgrade SDK to fix auth URL and add redirectUri config fix(mcp): Upgrade SDK and add callbackPort/callbackPath config Dec 27, 2025
@christso christso marked this pull request as draft December 27, 2025 01:17
@christso christso force-pushed the feat/oauth-public-client-fallback branch 4 times, most recently from 3eef5d6 to 01fb104 Compare December 27, 2025 05:43
christso and others added 3 commits December 28, 2025 08:06
@christso @claude
chore: update @modelcontextprotocol/sdk to 1.25.1
c20252f 
Update MCP SDK to get latest OAuth improvements including better
public client support.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso @claude
feat: add OAuth public client fallback with redirectUri config
380c7bb 
Add support for OAuth public clients (no client secret) with configurable
redirect URI. This enables MCP servers that don't support dynamic client
registration to work with pre-registered public OAuth clients.

Changes:
- Add redirectUri option to McpOAuthConfig for flexible callback configuration
- Add parseRedirectUri() helper to extract port/path from URI string
- Update oauth-callback server to accept redirectUri parameter
- Support public clients via token_endpoint_auth_method: "none"
- Update config schema and CLI debug command

The redirectUri approach is cleaner than separate port/path options and
matches standard OAuth library patterns, making debugging easier.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso @claude
test: add OAuth callback server tests
914d122 
Add test coverage for McpOAuthCallback.ensureRunning() including:
- Default port/path behavior
- Custom redirectUri parsing
- Server restart on config change
- Idempotent behavior
- Start/stop lifecycle

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso christso force-pushed the feat/oauth-public-client-fallback branch from ed54e4f to 914d122 Compare December 27, 2025 21:16
@christso christso changed the title fix(mcp): Upgrade SDK and add callbackPort/callbackPath config fix(mcp): Upgrade SDK and add redirectUri config for OAuth callback Dec 27, 2025
@christso @claude
test: consolidate OAuth callback tests and add parseRedirectUri tests
38031d5 
- Remove redundant tests (duplicate default/isRunning checks)
- Add dedicated parseRedirectUri unit tests for port/path parsing
- Test edge cases: http/https defaults, invalid URIs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso christso marked this pull request as ready for review December 27, 2025 23:38
This was referenced Dec 28, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: OAuth uses wrong authorization URL and missing redirectUri config

1 participant

@christso