Skip to content

fix(mcp): Upgrade SDK and add callbackPort/callbackPath config #5940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
christso wants to merge 13 commits into
base: dev
Choose a base branch
from
Draft

fix(mcp): Upgrade SDK and add callbackPort/callbackPath config #5940

christso wants to merge 13 commits into from
+184 −35

Conversation

@christso
Copy link
Contributor

@christso christso commented Dec 22, 2025
edited
Loading

Closes #5766

Summary

  • Upgrade MCP SDK to 1.25.1 to fix authorization URL bug
  • Add configurable callbackPort and callbackPath for OAuth callback
  • Support dynamic port allocation with callbackPort: 0

Problem

  1. Wrong authorization URL: MCP SDK 1.15.1 incorrectly constructs the authorization URL by appending /authorize to the issuer URL instead of using authorization_endpoint from OAuth metadata.

  2. No callback config: Users cannot configure the OAuth callback URL to match what's registered on their OAuth server.

  3. SSH port forwarding: Users running opencode over SSH may only be able to forward specific ports, requiring explicit port configuration.

Solution

  1. Upgrade MCP SDK to 1.25.1 which correctly reads authorization_endpoint from OAuth discovery metadata.

  2. Add callback config options:

    • callbackPort: OAuth callback server port (default: 19876, set to 0 for dynamic)
    • callbackPath: OAuth callback path (default: /mcp/oauth/callback)

User Configuration

"mcp": {
  "<server-name>": {
    "type": "remote",
    "url": "https://<your-mcp-server>",
    "oauth": {
      "clientId": "your-client-id",
      "callbackPort": 8080,
      "callbackPath": "/oauth/callback",
      "scope": "openid profile email"
    }
  }
}

For dynamic port (OS assigns available port, similar to VSCode's approach):

"oauth": {
  "callbackPort": 0
}

Test plan

  • Test OAuth flow works as before (no config changes)
  • Test configurable callback port/path
  • Test dynamic port allocation with callbackPort: 0
  • Unit tests for ensureRunning behavior
  • Fix mcp debug command to use actual allocated port

🤖 Generated with Claude Code

@christso christso changed the title feat: Add configurable redirectUri for MCP OAuth and upgrade SDK feat(mcp): Support OAuth when DCR fails via explicit client config Dec 22, 2025
@christso christso changed the title feat(mcp): Support OAuth when DCR fails via explicit client config feat(mcp): Add redirectUri config option and upgrade SDK to 1.25.1 Dec 22, 2025
@christso christso changed the title feat(mcp): Add redirectUri config option and upgrade SDK to 1.25.1 fix(mcp): Add configurable redirectUri and upgrade SDK to 1.25.1 Dec 22, 2025
@christso christso changed the title fix(mcp): Add configurable redirectUri and upgrade SDK to 1.25.1 fix(mcp): Upgrade SDK to fix auth URL and add redirectUri config Dec 22, 2025
@christso christso mentioned this pull request Dec 22, 2025
Open
@christso
Copy link
Contributor Author

christso commented Dec 25, 2025

Future Enhancement Note: Dynamic port allocation (binding to port 0 and letting the OS assign an available port, similar to VSCode's approach) could be explored in a future PR for environments without strict redirect URI requirements. This would eliminate port conflicts entirely. The redirectUri config added here would remain useful as an override for OAuth providers requiring exact URI matches.

@christso christso changed the title fix(mcp): Upgrade SDK to fix auth URL and add redirectUri config fix(mcp): Upgrade SDK and add callbackPort/callbackPath config Dec 27, 2025
@christso christso marked this pull request as draft December 27, 2025 01:17
@christso @claude
refactor: replace redirectUri with callbackPort/callbackPath
6dcd821 
- Change config from `redirectUri` string to separate `callbackPort` and `callbackPath` options
- Support dynamic port allocation with `callbackPort: 0`
- Default behavior unchanged (port 19876)
- Add tests for ensureRunning behavior

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@christso christso force-pushed the feat/oauth-public-client-fallback branch from 377f4ab to 6dcd821 Compare December 27, 2025 01:20
christso and others added 3 commits December 27, 2025 03:33
@christso @claude
fix: remove incorrectly kept DCR fallback code from rebase
5143d93 
Remove all DCR (Dynamic Client Registration) fallback code that was
incorrectly kept during the rebase conflict resolution. The commit
"remove connected_public_client" had already removed this feature.

Removed:
- connected_public_client status from Status schema
- usedPublicClient references from authenticate function
- DCR tracking in auth.ts (dcrFailed, usedPublicClient fields)
- DCR helper functions (markDcrFailed, clearDcrFailed, markUsedPublicClient)
- UI handling for connected_public_client in mcp.ts and sidebar.tsx

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso @claude
fix: improve status handling in mcp list command
d7a4b14 
Use explicit check for "failed" status instead of fallback cast.
Add exhaustive else clause to satisfy TypeScript.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso @claude
fix: use actual port for OAuth in mcp debug command
260374d 
- Fix dynamic port handling when callbackPort is 0 (dynamic allocation)
- Start callback server to get actual port instead of hardcoding fallback

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso christso force-pushed the feat/oauth-public-client-fallback branch from 7fd33af to 260374d Compare December 27, 2025 05:12
@christso @claude
revert: remove over-engineered status handling
88a3615 
Revert to simpler else clause with type cast.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso christso force-pushed the feat/oauth-public-client-fallback branch from 319518a to 88a3615 Compare December 27, 2025 05:34
@christso @claude
fix: restore accidentally deleted comment
01fb104 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@christso christso force-pushed the feat/oauth-public-client-fallback branch from 3eef5d6 to 01fb104 Compare December 27, 2025 05:43
@christso @claude
refactor: simplify ensureRunning logic
ed54e4f 
- Single check with early return for "already configured" case
- Clearer flow: check running → check port in use → start server
- Renamed variable to requestedPath for consistency

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug: OAuth uses wrong authorization URL and missing redirectUri config

1 participant

@christso