feat: add OAuth support for external MCP servers in the Playground #1323
+2,692
−17
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This implements OAuth 2.1 Dynamic Client Registration (DCR) flow support for external MCP servers in Gram Elements, following the RFC for MCP-Compliant Playground. Backend changes: - Add user_oauth_tokens table for storing encrypted OAuth tokens - Create external_oauth.go with authorize, callback, status, disconnect, and token endpoints - Implement PKCE (S256) for secure authorization code flow - Add GetToolsetByID query for toolset lookup Elements changes: - Add ExternalOAuthConfig and OAuthApiConfig types - Create useOAuthStatus hook for checking auth status - Create useOAuthToken hook for fetching access tokens - Integrate OAuth status into ElementsProvider context - Handle OAuth callback URL parameters Dashboard changes: - Update PlaygroundElements to pass OAuth config when toolset has external OAuth server configured Resolves AGE-1150 Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Add visual OAuth connection status and connect/disconnect buttons in the Playground Authentication section, matching the RFC mockups. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Replace Spinner from moonshine with Loader2 from lucide-react. Co-Authored-By: Claude Opus 4.5 <[email protected]>
simplesagar
changed the title
Update PlaygroundAuth to detect OAuth requirements from external MCP tools discovered via the MCP protocol, in addition to the existing external OAuth server configuration. - Add getExternalMcpOAuthConfig() to extract OAuth config from rawTools - Add ExternalMcpOAuthConnection component for MCP OAuth 2.1/2.0 flows - Support both legacy externalOauthServer and MCP-discovered OAuth - Display "MCP OAuth 2.1" or "OAuth 2.0" label based on discovered version This aligns with the RFC architecture where the Playground acts as an MCP client that self-discovers OAuth requirements from imported catalog tools. Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add external OAuth endpoints at /oauth-external/* to avoid route conflicts - Implement Dynamic Client Registration (DCR) per RFC 7591 for MCP OAuth 2.1 - Add session header authentication fallback for cross-origin requests - Fix OAuth state cache key consistency using StateID field - Update frontend to pass Gram-Session header for OAuth status/disconnect - Add external_oauth_client_registrations table for storing DCR credentials The OAuth flow now works for external MCP tools like Linear. Note: Agent/chat path does not yet support external MCP tool execution (returns error for ToolKindExternalMCP). This PR focuses on the authentication flow. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Use refetch() instead of invalidateQueries() for more reliable status update after OAuth flow completes. Added small delay to ensure server has processed the callback. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add comprehensive logging to help debug OAuth status check issues: - Log user_id, organization_id, and issuer when checking status - Log whether token was found or not found - Log final status (authenticated/needs_auth/disconnected), connected, and expired flags Also add new slog helpers to attr package: - SlogOAuthStatus for OAuth status string - SlogOAuthConnected for connection boolean - SlogOAuthExpired for expiration boolean Co-Authored-By: Claude Opus 4.5 <[email protected]>
After OAuth authorization completes, instead of redirecting to the full
dashboard URL (which loaded the entire app in the popup), now show a
minimal success page with:
- Checkmark icon
- "Connected to {provider}" message
- Auto-close after 1.5 seconds
This provides better UX as users see immediate feedback that the
connection succeeded, and the popup closes automatically.
Co-Authored-By: Claude Opus 4.5 <[email protected]>
Contributor
|
|
||||||||||||||||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements MCP OAuth 2.1 with Dynamic Client Registration (DCR) per RFC 7591 for external MCP servers in Gram Elements.
Key changes:
/oauth-external/*(avoids route conflicts with/oauth/{mcpSlug}/*)Changes
Server
/oauth-external/*endpointsuser_oauth_tokensandexternal_oauth_client_registrationsClient/Elements
Gram-Sessionheader for cross-origin authRecent Fixes
refetchStatus()with 300ms delay)Known Limitations
LoadToolsetToolsfunction explicitly returns an error forToolKindExternalMCP. OAuth authentication works, but the Playground chat cannot execute external MCP tools like Linear.Follow-up work needed:
unfoldExternalMCPToolsdoes for MCP JSON-RPC)Test plan
Related
Resolves AGE-1150
🤖 Generated with Claude Code