Add MCP OAuth 2.1 compliance — browser flow replaces copy-paste URLs#8
Merged
Add MCP OAuth 2.1 compliance — browser flow replaces copy-paste URLs#8
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… paths
Replace createServer(env, request, sessionId) with createMcpServer(env, baseUrl)
returning { server, setContext, getContext }. Session extraction is moved to
src/index.ts so the MCP server is context-agnostic and both OAuth and legacy
session paths can inject auth via setContext before the MCP handler runs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Update wrangler.toml main field to src/index-oauth.ts - Remove JWT_SECRET from secrets comments - Delete src/auth/jwt.ts which is replaced by OAuth session management - Update tsconfig.json to exclude old index.ts from compilation - Update integration test to use index-oauth and mock OAuth sessions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update MockMCPClient to use ?session_id query param (KV session path) instead of Cookie header, which is not supported by index-oauth.ts. Authenticate before the initialize handshake test since the OAuth provider now intercepts all /mcp requests without a bearer token. Update unauthenticated test expectation to match the OAuth provider's 401 invalid_token response instead of a JSON-RPC error. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The jwt.ts file was deleted but server.ts still imported SessionPayload from it. Moved the SessionPayload interface definition inline to maintain backward-compatible tool access patterns for user credentials. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/login?session_id=...flow with full MCP OAuth 2.1 compliance via@cloudflare/workers-oauth-provider— all MCP clients (Claude Code, Claude Desktop, opencode) now open a browser automatically for first-time authsrc/auth/oauth-handler.tsto bridge Discogs OAuth 1.0a with MCP OAuth 2.1 (/authorize,/discogs-callback,/login,/callback,/.well-known/oauth-protected-resource)src/mcp/server.tsinto acreateMcpServer()factory returning{ server, setContext }so both OAuth and session paths inject auth context consistentlyRollback
Change
main = "src/index-oauth.ts"back tomain = "src/index.ts"inwrangler.tomland redeploy.src/index.tsis intentionally kept until production is verified stable.Test Plan
src/index.tswhen confident🤖 Generated with Claude Code