fix(mcp): fix OAuth auto-connect failing on first connection#15547
Open
domdomegg wants to merge 1 commit intoanomalyco:devfrom
Open
fix(mcp): fix OAuth auto-connect failing on first connection#15547domdomegg wants to merge 1 commit intoanomalyco:devfrom
domdomegg wants to merge 1 commit intoanomalyco:devfrom
Conversation
… MCP servers state() threw when no state was pre-saved, but the SDK calls it as a generator during automatic auth. Also harden create() to treat auth-related errors from the SDK transport as needs_auth.
github-actions
bot
added
needs:compliance
Contributor
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
Author
|
After the fix: 
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #15546
Type of change
What does this PR do?
When OpenCode auto-connects to a remote MCP server requiring OAuth (e.g. on startup with a pre-configured server), the SDK transport gets a 401 and internally triggers the OAuth
auth()flow. This flow callsprovider.state()to get an OAuth state parameter — butstate()was implemented as a reader that throws if no state was previously saved. SincesaveState()is only called in the explicitstartAuth()path (not the automatic connect path),state()always throws on first connect.The thrown error is a plain
Error, notUnauthorizedError, so OpenCode'screate()catch block doesn't recognize it as auth-related. The server ends up withstatus: "failed"instead ofstatus: "needs_auth".Two fixes:
McpOAuthProvider.state()— generate and persist a new cryptographic state when none exists, instead of throwing. The SDK'sOAuthClientProviderinterface definesstate?()as a generator that returns a state value, not a reader.create()error handling — also treat errors containing "OAuth" from an auth-provider-enabled transport as auth-related, so they result inneeds_authstatus rather thanfailed. This is a defense-in-depth fix for any other plainErrorthe SDK might throw during the auth flow.How did you verify your code works?
Added 3 new tests in
test/mcp/oauth-auto-connect.test.ts:first connect to OAuth server shows needs_auth instead of failed— verifies the full auto-connect path setsneeds_authstatusstate() generates a new state when none is saved— verifies state generation and persistencestate() returns existing state when one is saved— verifies pre-saved state is returned as-isAll MCP tests pass:
bun test test/mcp/ --timeout 30000→ 9 pass, 0 fail.Screenshots / recordings
N/A
Checklist