Skip to content

fix: use discoverOAuthFromWWWAuthenticate for reactive OAuth flow (#18760) #19038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
scidomino merged 5 commits into from
Feb 20, 2026
Merged

fix: use discoverOAuthFromWWWAuthenticate for reactive OAuth flow (#18760) #19038

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e72b076
fix: use discoverOAuthFromWWWAuthenticate for reactive OAuth flow
maximus12793 Feb 13, 2026
8226a9b
test: add tests for discoverOAuthFromWWWAuthenticate in handleAutomat…
maximus12793 Feb 19, 2026
df9c3cb
Merge branch 'main' into fix/oauth-reactive-discovery-18760
maximus12793 Feb 20, 2026
4a04f82
Merge branch 'main' into fix/oauth-reactive-discovery-18760
maximus12793 Feb 20, 2026
f03b4e3
Merge branch 'main' into fix/oauth-reactive-discovery-18760
maximus12793 Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions packages/core/src/tools/mcp-client.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2056,6 +2056,90 @@ describe('connectToMcpServer with OAuth', () => {
capturedTransport._requestInit?.headers?.['Authorization'];
expect(authHeader).toBe('Bearer test-access-token-from-discovery');
});

it('should use discoverOAuthFromWWWAuthenticate when it succeeds and skip discoverOAuthConfig', async () => {
const serverUrl = 'http://test-server.com/mcp';
const authUrl = 'http://auth.example.com/auth';
const tokenUrl = 'http://auth.example.com/token';
const wwwAuthHeader = `Bearer realm="test", resource_metadata="http://test-server.com/.well-known/oauth-protected-resource"`;

vi.mocked(mockedClient.connect).mockRejectedValueOnce(
new StreamableHTTPError(
401,
`Unauthorized\nwww-authenticate: ${wwwAuthHeader}`,
),
);

vi.mocked(OAuthUtils.discoverOAuthFromWWWAuthenticate).mockResolvedValue({
authorizationUrl: authUrl,
tokenUrl,
scopes: ['read'],
});

vi.mocked(mockedClient.connect).mockResolvedValueOnce(undefined);

const client = await connectToMcpServer(
'0.0.1',
'test-server',
{ httpUrl: serverUrl, oauth: { enabled: true } },
false,
workspaceContext,
EMPTY_CONFIG,
);

expect(client).toBe(mockedClient);
expect(OAuthUtils.discoverOAuthFromWWWAuthenticate).toHaveBeenCalledWith(
wwwAuthHeader,
serverUrl,
);
expect(OAuthUtils.discoverOAuthConfig).not.toHaveBeenCalled();
expect(mockAuthProvider.authenticate).toHaveBeenCalledOnce();
});

it('should fall back to extractBaseUrl + discoverOAuthConfig when discoverOAuthFromWWWAuthenticate returns null', async () => {
const serverUrl = 'http://test-server.com/mcp';
const baseUrl = 'http://test-server.com';
const authUrl = 'http://auth.example.com/auth';
const tokenUrl = 'http://auth.example.com/token';
const wwwAuthHeader = `Bearer realm="test"`;

vi.mocked(mockedClient.connect).mockRejectedValueOnce(
new StreamableHTTPError(
401,
`Unauthorized\nwww-authenticate: ${wwwAuthHeader}`,
),
);

vi.mocked(OAuthUtils.discoverOAuthFromWWWAuthenticate).mockResolvedValue(
null,
);
vi.mocked(OAuthUtils.extractBaseUrl).mockReturnValue(baseUrl);
vi.mocked(OAuthUtils.discoverOAuthConfig).mockResolvedValue({
authorizationUrl: authUrl,
tokenUrl,
scopes: ['read'],
});

vi.mocked(mockedClient.connect).mockResolvedValueOnce(undefined);

const client = await connectToMcpServer(
'0.0.1',
'test-server',
{ httpUrl: serverUrl, oauth: { enabled: true } },
false,
workspaceContext,
EMPTY_CONFIG,
);

expect(client).toBe(mockedClient);
expect(OAuthUtils.discoverOAuthFromWWWAuthenticate).toHaveBeenCalledWith(
wwwAuthHeader,
serverUrl,
);
expect(OAuthUtils.extractBaseUrl).toHaveBeenCalledWith(serverUrl);
expect(OAuthUtils.discoverOAuthConfig).toHaveBeenCalledWith(baseUrl);
expect(mockAuthProvider.authenticate).toHaveBeenCalledOnce();
});
});

describe('connectToMcpServer - HTTP→SSE fallback', () => {
Expand Down
23 changes: 10 additions & 13 deletions packages/core/src/tools/mcp-client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -719,18 +719,17 @@ async function handleAutomaticOAuth(
try {
debugLogger.log(`🔐 '${mcpServerName}' requires OAuth authentication`);

// Always try to parse the resource metadata URI from the www-authenticate header
let oauthConfig;
const resourceMetadataUri =
OAuthUtils.parseWWWAuthenticateHeader(wwwAuthenticate);
if (resourceMetadataUri) {
oauthConfig = await OAuthUtils.discoverOAuthConfig(resourceMetadataUri);
} else if (hasNetworkTransport(mcpServerConfig)) {
const serverUrl = mcpServerConfig.httpUrl || mcpServerConfig.url;

// Try to discover OAuth config from the WWW-Authenticate header first
let oauthConfig = await OAuthUtils.discoverOAuthFromWWWAuthenticate(
wwwAuthenticate,
serverUrl,
);

if (!oauthConfig && hasNetworkTransport(mcpServerConfig)) {
// Fallback: try to discover OAuth config from the base URL
const serverUrl = new URL(
mcpServerConfig.httpUrl || mcpServerConfig.url!,
);
const baseUrl = `${serverUrl.protocol}//${serverUrl.host}`;
const baseUrl = OAuthUtils.extractBaseUrl(serverUrl!);
oauthConfig = await OAuthUtils.discoverOAuthConfig(baseUrl);
}

Expand All @@ -754,8 +753,6 @@ async function handleAutomaticOAuth(
};

// Perform OAuth authentication
// Pass the server URL for proper discovery
const serverUrl = mcpServerConfig.httpUrl || mcpServerConfig.url;
debugLogger.log(
`Starting OAuth authentication for server '${mcpServerName}'...`,
);
Expand Down
Loading