opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 hours ago verified publisher icon anomalyco

fix(mcp): Upgrade SDK and add redirectUri config for OAuth callback

Open christso opened this issue 3 weeks ago • 1 comments

Closes #5766

Summary

  • Upgrade MCP SDK to 1.25.1 to fix authorization URL bug
  • Add configurable redirectUri for OAuth callback (simpler than separate port/path)

Problem

  1. Wrong authorization URL: MCP SDK 1.15.1 incorrectly constructs the authorization URL by appending /authorize to the issuer URL instead of using authorization_endpoint from OAuth metadata.

  2. No callback config: Users cannot configure the OAuth callback URL to match what's registered on their OAuth server.

Solution

  1. Upgrade MCP SDK to 1.25.1 which correctly reads authorization_endpoint from OAuth discovery metadata.

  2. Add redirectUri config option: A single URI string that specifies the full callback URL. This is cleaner than separate port/path options and matches standard OAuth library patterns.

User Configuration

"mcp": {
  "<server-name>": {
    "type": "remote",
    "url": "https://<your-mcp-server>",
    "oauth": {
      "clientId": "your-client-id",
      "redirectUri": "http://127.0.0.1:8080/oauth/callback",
      "scope": "openid profile email"
    }
  }
}

If redirectUri is not specified, the default http://127.0.0.1:19876/mcp/oauth/callback is used.

Why redirectUri instead of callbackPort/callbackPath?

  • Simpler: Single config value vs two separate fields
  • Standard pattern: Matches how OAuth libraries/docs describe redirect URIs
  • Easier debugging: You see exactly what URL will be used
  • No security difference: A malicious actor with local machine access could intercept callbacks regardless of port restrictions

Test plan

  • [x] Test OAuth flow works as before (no config changes)
  • [x] Test configurable redirectUri
  • [x] Unit tests for ensureRunning behavior with custom URIs

🤖 Generated with Claude Code

christso avatar Dec 22 '25 07:12 christso

Future Enhancement Note: Dynamic port allocation (binding to port 0 and letting the OS assign an available port, similar to VSCode's approach) could be explored in a future PR for environments without strict redirect URI requirements. This would eliminate port conflicts entirely. The redirectUri config added here would remain useful as an override for OAuth providers requiring exact URI matches.

christso avatar Dec 25 '25 05:12 christso