Skip to content

client: preserve OAuth discovery metadata across browser redirects#1816

Open
windro-xdd wants to merge 35 commits intomodelcontextprotocol:mainfrom
windro-xdd:fix/oauth-redirect-preserve-resource-metadata
Open

client: preserve OAuth discovery metadata across browser redirects#1816
windro-xdd wants to merge 35 commits intomodelcontextprotocol:mainfrom
windro-xdd:fix/oauth-redirect-preserve-resource-metadata

Conversation

@windro-xdd
Copy link
Copy Markdown

@windro-xdd windro-xdd commented Mar 29, 2026
edited
Loading

Summary

  • persist interactive OAuth metadata (resource_metadata URL and scope) in browser sessionStorage for both Streamable HTTP and SSE client transports
  • restore that state on transport construction so finishAuth() works after full-page redirects
  • clear persisted state after successful authorization to avoid stale auth context
  • add regression tests for transport recreation + post-redirect finishAuth() on both transports

Why

finishAuth() can fail in browser redirect flows when the original transport instance is lost and the WWW-Authenticate metadata extracted before redirect is no longer in memory. Persisting and restoring this metadata keeps token exchange on the same discovered authorization path.

Validation

  • pnpm --filter @modelcontextprotocol/client typecheck
  • pnpm --filter @modelcontextprotocol/client lint
  • pnpm --filter @modelcontextprotocol/client test -- test/client/streamableHttp.test.ts test/client/sse.test.ts

Closes #1234

@windro-xdd windro-xdd requested a review from a team as a code owner March 29, 2026 14:43
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 29, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 317fec5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 7 packages
Name Type
@modelcontextprotocol/server Patch
@modelcontextprotocol/client Patch
@modelcontextprotocol/core Patch
@modelcontextprotocol/express Patch
@modelcontextprotocol/fastify Patch
@modelcontextprotocol/hono Patch
@modelcontextprotocol/node Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 29, 2026
edited
Loading

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@1816

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@1816

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@1816

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@1816

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@1816

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@1816

commit: 317fec5

felixweinberger and others added 2 commits March 30, 2026 13:56
@felixweinberger @DeltaMasterDtm @KKonstantinov
fix(stdio): always set windowsHide on Windows, not just in Electron (m…
5276439 
…odelcontextprotocol#1772)

Co-authored-by: jnMetaCode <147776183+jnMetaCode@users.noreply.github.com>
Co-authored-by: Konstantin Konstantinov <KKonstantinov@users.noreply.github.com>
@felixweinberger @CHOIJEWON
feat(client): add reconnectionScheduler to StreamableHTTPClientTransp…
6711ed9 
…ort (modelcontextprotocol#1763)

Co-authored-by: CHOIJEWON <alsrn6040@kakao.com>
@felixweinberger felixweinberger added the auth Issues and PRs related to Authentication / OAuth label Mar 30, 2026
wdawson and others added 17 commits March 30, 2026 18:11
@wdawson
SEP-2207: Refresh token guidance (modelcontextprotocol#1523)
9d08392
@felixweinberger
docs: note type vs interface for structuredContent (modelcontextproto…
9d924b1 
…col#1784)
@felixweinberger
fix(core): add explicit | undefined to Transport interface optional p…
48aba0d 
…roperties (modelcontextprotocol#1766)
@felixweinberger
chore(v2): pnpm audit fix (modelcontextprotocol#1789)
d0505c1
@felixweinberger
ci: format fetch-spec-types output with prettier (modelcontextprotoco…
9efecc2 
…l#1782)
@NSeydoux
Private key jwt scopes (modelcontextprotocol#1443)
4aec5f7
@felixweinberger @KKonstantinov
feat!: remove WebSocketClientTransport (modelcontextprotocol#1783)
045c62a 
Co-authored-by: Konstantin Konstantinov <KKonstantinov@users.noreply.github.com>
@matantsach @claude
@felixweinberger @pcarleton
fix: continue OAuth metadata discovery on 5xx responses (modelcontext…
d99f3ee 
…protocol#1632)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
Co-authored-by: Paul Carleton <paulcarletonjr@gmail.com>
@rechedev9 @felixweinberger
test: add compile-time key-parity assertions for spec type checks (mo…
a39a9eb 
…delcontextprotocol#1652)

Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
@felixweinberger
fix(core): ensure standardSchemaToJsonSchema emits type:object (model…
d6a02c8 
…contextprotocol#1796)
@felixweinberger
fix(examples): return 404 for unknown session IDs, 400 for missing (m…
8822c96 
…odelcontextprotocol#1770)
@felixweinberger
fix(core): consolidate per-request cleanup in _requestWithSchema (mod…
89fb094 
…elcontextprotocol#1790)
@felixweinberger @KKonstantinov
chore: drop zod from peerDependencies (kept as direct dependency) (mo…
fcde488 
…delcontextprotocol#1824)

Co-authored-by: Konstantin Konstantinov <KKonstantinov@users.noreply.github.com>
@DePasqualeOrg @felixweinberger
Fix: Handle error responses in Streamable HTTP SSE streams (modelcont…
9bc9abc 
…extprotocol#1390)

Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
@chughtapan @claude @felixweinberger
Add _meta support to registerPrompt (modelcontextprotocol#1629)
f73a5af 
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
@KKonstantinov @felixweinberger
v2: Web standards Request object in ctx (modelcontextprotocol#1822)
2fd7f5f 
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
@KKonstantinov @felixweinberger
fix(core): make fromJsonSchema() use runtime-aware default validator … (
5f32a90 
modelcontextprotocol#1825)

Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
pcarleton
pcarleton requested changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, you should be able to do this with loadDiscoveryState / saveDiscoveryState, could be in an example implementation of OAuthProvider

andyfleming and others added 4 commits March 31, 2026 13:51
@andyfleming @felixweinberger @KKonstantinov
Adds Fastify Middleware for v2 (modelcontextprotocol#1536)
81e4b2a 
Co-authored-by: Felix Weinberger <fweinberger@anthropic.com>
Co-authored-by: Konstantin Konstantinov <KKonstantinov@users.noreply.github.com>
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
@felixweinberger
chore: enter alpha prerelease mode (modelcontextprotocol#1823)
0fabc27
@rechedev9 @KKonstantinov @felixweinberger
fix(server): propagate negotiated protocol version to transport (mode…
689148d 
…lcontextprotocol#1660)

Co-authored-by: Konstantin Konstantinov <KKonstantinov@users.noreply.github.com>
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
@felixweinberger
chore(ci): remove dead publish job from main.yml (modelcontextprotoco…
babaa50 
…l#1829)
@km-anthropic
Copy link
Copy Markdown

km-anthropic commented Mar 31, 2026

@claude review

felixweinberger and others added 11 commits April 1, 2026 13:30
@felixweinberger
chore(fastify): remove stray packageManager field from subpackage (mo…
38d6cd2 
…delcontextprotocol#1833)
@github-actions
Version Packages (alpha) (modelcontextprotocol#1420)
54fa96e 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@felixweinberger
fix(ci): split release.yml into version + publish jobs (modelcontextp…
53fb84b 
…rotocol#1836)
@KKonstantinov
v2 tsdown fix (modelcontextprotocol#1840)
424cbae
@github-actions
Version Packages (alpha) (modelcontextprotocol#1841)
0021561 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@felixweinberger @KKonstantinov
fix(core): allow additional JSON Schema properties in elicitInput req…
866c08d 
…uestedSchema (modelcontextprotocol#1768)

Co-authored-by: Konstantin Konstantinov <KKonstantinov@users.noreply.github.com>
@nielskaspers @felixweinberger
fix(client): preserve custom Accept headers in StreamableHTTPClientTr…
1eb3123 
…ansport (modelcontextprotocol#1655)

Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
Co-authored-by: Felix Weinberger <fweinberger@anthropic.com>
@jonathanhefner @claude
Rewrite docs/server.md as a code-heavy, prose-light how-to guide (m…
653c5d0 
…odelcontextprotocol#1552)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claygeo @felixweinberger
fix: prevent stack overflow in transport close with re-entrancy guard (
df4b6cc 
…modelcontextprotocol#1788)

Co-authored-by: Felix Weinberger <fweinberger@anthropic.com>
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
feat(client): add OAuthProvider for preserving discovery state across…
a408ca7 
… redirects

Add OAuthProvider class to enable stateful OAuth flows in browser-based
applications. The provider persists discovery state (resource metadata URL,
scopes) across OAuth redirects using sessionStorage with automatic 15-minute
expiry, graceful degradation when storage is unavailable, and comprehensive
error handling.

Key features:
- saveDiscoveryState/loadDiscoveryState for state persistence
- Automatic timestamp-based expiry validation
- getAuthorizationUrl for RFC 6749 OAuth 2.0 compatibility
- Createable client transport with restored state
- Graceful handling of missing sessionStorage (private browsing)
- Try-catch wrapped storage operations

Includes:
- Full implementation with JSDoc documentation
- Comprehensive test suite (state persistence, expiry, error handling)
- OAuth_REDIRECT_EXAMPLE.md with usage patterns and security notes

Fixes the issue of losing discovery state during browser redirects in
interactive OAuth flows when implementing MCP-compatible web applications.
merge: resolve streamableHttp.ts conflict, keep OAuth implementation
317fec5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth: Resource metadata URL lost after redirect, causing token exchange to fail