Client implementation of MCP auth

[jspahrsummers]

This implements the client side only of the MCP auth draft spec.

Example usage

A real implementation needs to save OAuth token state, code verifiers, etc. to a persistent store, but this sample at least demonstrates the bits that are necessary:

class MyAuthProvider implements OAuthClientProvider {
  private tokens_: OAuthTokens | undefined;
  private codeVerifier_: string | undefined;

  get redirectUrl(): string {
    return "http://localhost:3000/callback";
  }

  get clientMetadata(): OAuthClientMetadata {
    return {
      redirect_uris: [this.redirectUrl],
      client_name: "My MCP Client"
    };
  }

  clientInformation(): OAuthClientInformation {
    return {
      client_id: "my-client-id",
      client_secret: "my-client-secret"
    };
  }

  async tokens(): Promise<OAuthTokens | undefined> {
    return this.tokens_;
  }

  async saveTokens(tokens: OAuthTokens): Promise<void> {
    this.tokens_ = tokens;
    console.log("Received new tokens:", tokens);
  }

  async redirectToAuthorization(authUrl: URL): Promise<void> {
    console.log("Redirecting to:", authUrl);
    // In a browser, you might do: window.location.href = authUrl.href;
  }

  async saveCodeVerifier(verifier: string): Promise<void> {
    this.codeVerifier_ = verifier;
  }

  async codeVerifier(): Promise<string> {
    if (!this.codeVerifier_) {
      throw new Error("No code verifier saved");
    }
    return this.codeVerifier_;
  }
}

const transport = new SSEClientTransport(
  new URL("https://api.example.com/sse"),
  {
    authProvider: new MyAuthProvider()
  }
);

// The transport will automatically:
// 1. Add auth headers to all requests
// 2. Refresh expired tokens when 401 responses are received
// 3. Store new tokens via the auth provider
// 4. Begin authorization flow if refresh fails

[jerome3o-anthropic]

this looks great! - just a couple of non-blocking questions

[jerome3o-anthropic]

[q] Do we only support S256?

[jspahrsummers]

Yes, OAuth 2.1 basically* requires this

[jerome3o-anthropic]

What's the intended behaviour when we need to redirect? should the caller just catch this error?

[jerome3o-anthropic]

my understanding is:

• the provider will initiate the redirect on a 401
• once the user is redirected back we will call auth() again but with the authorization code
• that will populate the provider's tokens
• and then we init a new transport with that provider

I could be missing something though - is that how we intend to get the authorization code in here?

[jspahrsummers]

Yes, that's right. This is a good reminder to add more docs, though—and I also wanted to add a convenience method that makes it easier to finish the auth flow via the SSEClientTransport class.

[jerome3o-anthropic]

[q] should this be 401

[jspahrsummers]

The spec actually says 400: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#name-error-response