Skip to content

Commit 636aaf9

Browse files
ghostwriternrghostwriternr
authored
Fix OAuth redirect handling in MCP clients (#630)
* Fix OAuth redirect handling in MCP clients OAuth callbacks with successRedirect/errorRedirect returned 200 OK instead of 302 redirects because CORS response reconstruction lost status codes and headers. Relative URLs also failed since Response.redirect() requires absolute URLs. Preserve status/statusText when adding CORS headers, use Headers constructor to properly copy all headers, and leverage URL constructor to normalize relative URLs to absolute. * Fix OAuth redirect handling in MCP clients * Keep upgrade check
1 parent 4487a94 commit 636aaf9

File tree

2 files changed

+28
-12
lines changed

2 files changed

+28
-12
lines changed

.changeset/pink-mangos-float.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"agents": patch
3+
---
4+
5+
Fix OAuth redirect handling in MCP clients

packages/agents/src/index.ts

Lines changed: 23 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1665,20 +1665,25 @@ export class Agent<
16651665
return config.customHandler(result);
16661666
}
16671667

1668-
// Use redirect URLs if configured
1668+
const baseOrigin = new URL(request.url).origin;
1669+
1670+
// Redirect to success URL if configured
16691671
if (config?.successRedirect && result.authSuccess) {
1670-
return Response.redirect(config.successRedirect);
1672+
return Response.redirect(
1673+
new URL(config.successRedirect, baseOrigin).href
1674+
);
16711675
}
16721676

1677+
// Redirect to error URL if configured
16731678
if (config?.errorRedirect && !result.authSuccess) {
1674-
return Response.redirect(
1675-
`${config.errorRedirect}?error=${encodeURIComponent(result.authError || "Unknown error")}`
1676-
);
1679+
const errorUrl = `${config.errorRedirect}?error=${encodeURIComponent(
1680+
result.authError || "Unknown error"
1681+
)}`;
1682+
return Response.redirect(new URL(errorUrl, baseOrigin).href);
16771683
}
16781684

1679-
// Default behavior - redirect to base URL
1680-
const baseUrl = new URL(request.url).origin;
1681-
return Response.redirect(baseUrl);
1685+
// Default: redirect to base URL
1686+
return Response.redirect(baseOrigin);
16821687
}
16831688
}
16841689

@@ -1755,11 +1760,17 @@ export async function routeAgentRequest<Env>(
17551760
request.headers.get("upgrade")?.toLowerCase() !== "websocket" &&
17561761
request.headers.get("Upgrade")?.toLowerCase() !== "websocket"
17571762
) {
1763+
const newHeaders = new Headers(response.headers);
1764+
1765+
// Add CORS headers
1766+
for (const [key, value] of Object.entries(corsHeaders)) {
1767+
newHeaders.set(key, value);
1768+
}
1769+
17581770
response = new Response(response.body, {
1759-
headers: {
1760-
...response.headers,
1761-
...corsHeaders
1762-
}
1771+
status: response.status,
1772+
statusText: response.statusText,
1773+
headers: newHeaders
17631774
});
17641775
}
17651776
return response;

0 commit comments

Comments
 (0)