feat: support manual entry of OAuth client information #345
Conversation
|
Hi @xiaoyijun! Thanks for this. I haven't done a local test of it yet, but I like what I see in the PR description and it does make sense for use case of servers that don't support dynamic client registration. Based on the spec I want to think that this complies, but it seems like a mix of options 1 and 2. We're providing a UI for users to enter this information, but it's not actually being registered, just passed to the server as if hardcoded. 
Given that this is the inspector and not an actual real-world client, I think this approach is OK. @localden might have a more nuanced view. |
|
Hi @cliffhall , thanks for the feedback! |
@xiaoyijun can you drop a link to the server you tested with? I'd really like to test this locally. |
cliffhall
added
enhancement
Hi @cliffhall! founder of Logto here. our team (primarily @xiaoyijun) is currently working on some MCP projects (primarily auth-related). we're excited about contributing to the MCP community and would love to share more details about what we are doing and server info for testing. since the project is still in early-stage development, we’re unsure whether we can share everything publicly. what’s the best way to get in touch with you? it'll be great to have a direct channel for team-to-team communication (e.g., Slack or Teams) to help things move more efficiently. looking forward to your thoughts. |
|
Hi @cliffhall , sorry for the late response. I just found that the MCP Typescript SDK has supported passing I created a PR(modelcontextprotocol/typescript-sdk#491) to support custom scope when making an auth request, which is needed when we use a pre-registered OAuth client. I will update this PR once modelcontextprotocol/typescript-sdk#491 is merged, and will also include the We forked this project and implemented an enhanced inspector which supports configuring OAuth flow parameters. Here is how we use it in our MCP Auth tutorial: https://mcp-auth.dev/docs/tutorials/whoami (the sample server code can be found here: https://github.com/mcp-auth/js/tree/master/packages/sample-servers) The inspector used in the tutorial is available at https://github.com/mcp-auth/inspector |
Nice one, @xiaoyijun! Ok, I see that your fix to the SDK has been merged, but there's going to be a lag before the next release, and of the inspector leveling up to that release. I'm going to tag this as |
|
@cliffhall |
xiaoyijun
force-pushed
the
feat-support-enter-oauth-client-information-manually
branch
2 times, most recently
from
737bc50 to
1f21b7e
Compare
|
Hi @cliffhall , The SDK has been updated, but when I rebased this branch, I noticed some significant changes in the Inspector's auth implementation. Previously, we could initiate the auth flow directly during the connection process. However, now I notice that the Inspector redirects to I also noticed there's a new OAuth debug module in the UI. Does this indicate a change in how OAuth flows are handled in the Inspector? Could you provide some guidance on these changes? This will help me align my implementation with the new OAuth flow architecture. |
@pcarleton could you provide some insight to @xiaoyijun |
|
👋 #418 should fix the connection issue, it was unrelated to the debugger. regarding auth flows changing overall, we're working to add support in the typescript sdk for the new draft spec here, and then will follow up with supporting them in the inspector: There's a client PR here: modelcontextprotocol/typescript-sdk#416 These should all be backwards compatible (if the new metadata endpoint |
|
@pcarleton thanks for your information, I'll update this PR once the issue is addressed. |
xiaoyijun
force-pushed
the
feat-support-enter-oauth-client-information-manually
branch
from
3a1b042 to
705b0e8
Compare
|
Hi @cliffhall @pcarleton , I just rebased this pr and update the implementation, PTAL. You can use mcp-auth sample for testing.
The following configuration is provided to facilitate your testing:
|
|
@xiaoyijun Is there a way you could test this against an example server in the TypeScript SDK? I'm wary of installing random code for testing, and would much rather test against in-project resources wherever possible. For instance, we were able to test #469 by starting the npx tsx src/examples/server/simpleStreamableHttp.ts --oauth |
|
@cliffhall Thanks for the suggestion! I’ll give that a try and see how it works. |
|
Hi @cliffhall , I just tested this implementation with the simpleStreamableHttp example from the TypeScript SDK server, and it works as expected. However, some setup is required beforehand:
export class DemoInMemoryClientsStore implements OAuthRegisteredClientsStore {
private clients = new Map<string, OAuthClientInformationFull>([
// 👇 Preregistered OAuth client here
[
"preregistered-client-id",
{
client_id: "preregistered-client-id",
redirect_uris: ["http://localhost:6274/oauth/callback"],
scope: "mcp:tools",
},
],
]);
async getClient(clientId: string) {
return this.clients.get(clientId);
}
// async registerClient(clientMetadata: OAuthClientInformationFull) {
// this.clients.set(clientMetadata.client_id, clientMetadata);
// return clientMetadata;
// }
}Now, start the mcp server: Enter the following configuration in the Inspector:
Click "Connect". Test result: |
Add support for manually entering OAuth client information in the UI
Motivation and Context
This PR addresses issue #167 where users encounter errors when connecting to MCP servers that use OAuth authentication but don't support dynamic client registration. Per MCP spec, servers without dynamic registration need alternative ways for clients to obtain credentials. This implementation adds a UI for users to manually enter OAuth client information, providing graceful degradation when automatic registration isn't available.
How Has This Been Tested?
Tested by connecting to an MCP server requiring OAuth authentication without dynamic client registration capabilities. Verified that:
Breaking Changes
None. This is a non-breaking addition that enhances functionality without changing existing behavior.
Types of changes
Checklist
Additional context
This implementation directly resolves issue #167 by providing a solution for MCP clients to connect to servers without dynamic client registration. By adding a dedicated UI section for OAuth configuration, users can now manually enter their client ID after registering through the server's interface. The solution maintains the redirect URL in the UI for easy reference during client registration, enabling seamless authentication even with servers that don't support dynamic registration.