Skip to content

feat: OAuth extra params support and token status improvements #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Dumbris merged 3 commits into from
Dec 5, 2025
Merged

feat: OAuth extra params support and token status improvements #167

Dumbris merged 3 commits into from
Dec 5, 2025

Conversation

@Dumbris
Copy link
Contributor

@Dumbris Dumbris commented Dec 1, 2025

Summary

  • Add support for OAuth extra parameters (RFC 8707 resource indicators) for providers like Runlayer that require additional parameters in OAuth flows
  • Fix OAuth token status display for servers using OAuth autodiscovery (Dynamic Client Registration)
  • Improve CLI commands (upstream list, auth status) to show accurate OAuth token expiration times

Key Changes

OAuth Extra Parameters Support

  • Add extra_params field to OAuth config for custom parameters like resource, audience, tenant
  • Create OAuthTransportWrapper to inject extra params into authorization URLs and token requests
  • Add validation to prevent overriding reserved OAuth parameters
  • Add parameter masking for secure logging

OAuth Token Status Display Fixes

  • Fix token lookup to work for autodiscovery servers (servers with oauth: null in config)
  • upstream list now shows token expiration time for all OAuth servers
  • auth status now correctly identifies and displays autodiscovery servers
  • Token status updates immediately after login without daemon restart

Files Changed

  • internal/oauth/transport_wrapper.go - New OAuth transport wrapper for extra params
  • internal/oauth/masking.go - Parameter masking utilities for secure logging
  • internal/config/oauth_validation.go - Reserved parameter validation
  • internal/runtime/runtime.go - Fixed token lookup for autodiscovery servers
  • cmd/mcpproxy/auth_cmd.go - Improved auth status display
  • cmd/mcpproxy/upstream_cmd.go - Token expiration display

Test plan

  • Unit tests for OAuth validation (19 test cases)
  • Unit tests for transport wrapper (authorization, token exchange, refresh)
  • Unit tests for parameter masking
  • Integration tests for OAuth flows with extra params
  • Manual testing with Sentry, Cloudflare Logs, AutoRAG OAuth servers
  • Verified token status updates without daemon restart

🤖 Generated with Claude Code

@Dumbris Dumbris mentioned this pull request Dec 1, 2025
Closed
13 tasks
@github-actions
Copy link

github-actions bot commented Dec 5, 2025
edited
Loading

📦 Build Artifacts

Workflow Run: View Run
Branch: 006-oauth-extra-params

Available Artifacts

  • archive-darwin-amd64 (23 MB)
  • archive-darwin-arm64 (20 MB)
  • archive-linux-amd64 (12 MB)
  • archive-linux-arm64 (11 MB)
  • archive-windows-amd64 (22 MB)
  • archive-windows-arm64 (20 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (25 MB)
  • installer-dmg-darwin-arm64 (23 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 19963138983 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

Dumbris and others added 2 commits December 5, 2025 12:45
@Dumbris @claude
feat: OAuth extra params support and token status display fixes
99d4f41 
This commit implements OAuth extra parameters (RFC 8707) support and fixes
OAuth token status display in CLI commands.

Key changes:
- Add extra OAuth params (audience, resource, tenant) to authorization URLs
- Implement automatic OAuth state clearing when config changes
- Fix OAuth token lookup key mismatch (was using server name, now uses
  server_name + URL hash to match PersistentTokenStore format)
- Add GetOAuthToken() and ClearOAuthState() methods to storage manager
- Add OAuthConfigChanged() comparison function for hot-reload detection
- Display OAuth token expiration time in `upstream list` and `auth status`

The token lookup fix resolves an issue where OAuth tokens were being stored
with composite keys (e.g., "sentry_abc123") but looked up with just the
server name ("sentry"), causing authenticated servers to show as pending.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@Dumbris @claude
fix: OAuth token status display for autodiscovery servers
de85df8 
Previously, OAuth token lookup only ran for servers with explicit
oauth config. Servers using OAuth autodiscovery (dynamic client
registration) showed "-" in OAUTH TOKEN column and didn't appear
in `auth status` output, even when they had valid tokens stored.

Changes:
- Move OAuth token lookup outside the `if serverStatus.Config.OAuth != nil`
  block so it runs for ALL servers with a URL
- For autodiscovery servers (no explicit OAuth config), create minimal
  oauthConfig with `autodiscovery: true` flag when token is found
- Update auth_cmd.go to detect autodiscovery flag and display
  "OAuth: Discovered via Dynamic Client Registration" message

Now autorag-cf and other autodiscovery servers correctly show:
- Token expiration time in upstream list (e.g., "49m")
- Full auth status with "Authenticated & Connected"
- Token expiration details

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@Dumbris Dumbris force-pushed the 006-oauth-extra-params branch from 7a6a7eb to de85df8 Compare December 5, 2025 10:54
@Dumbris Dumbris merged commit 03ea346 into main Dec 5, 2025
37 checks passed
@Dumbris Dumbris deleted the 006-oauth-extra-params branch December 5, 2025 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Dumbris