Add resource parameter to authorize URL (#112)

joshcanhelp · web-flow · commit 6d2aa681c805 · 2025-07-04T15:15:29.000+10:00
* feat: add resource flag to proxy command

* feat: append resource parameter to authorize URL

* fix: authorize resource used and logged

* feat: pass resource to OAuth client

* refactor: lint
diff --git a/src/lib/node-oauth-client-provider.ts b/src/lib/node-oauth-client-provider.ts
@@ -26,6 +26,7 @@ export class NodeOAuthClientProvider implements OAuthClientProvider {
   private softwareVersion: string
   private staticOAuthClientMetadata: StaticOAuthClientMetadata
   private staticOAuthClientInfo: StaticOAuthClientInformationFull
+  private authorizeResource: string | undefined
   private _state: string
 
   /**
@@ -41,6 +42,7 @@ export class NodeOAuthClientProvider implements OAuthClientProvider {
     this.softwareVersion = options.softwareVersion || MCP_REMOTE_VERSION
     this.staticOAuthClientMetadata = options.staticOAuthClientMetadata
     this.staticOAuthClientInfo = options.staticOAuthClientInfo
+    this.authorizeResource = options.authorizeResource
     this._state = randomUUID()
   }
 
@@ -168,6 +170,10 @@ export class NodeOAuthClientProvider implements OAuthClientProvider {
    * @param authorizationUrl The URL to redirect to
    */
   async redirectToAuthorization(authorizationUrl: URL): Promise<void> {
+    if (this.authorizeResource) {
+      authorizationUrl.searchParams.set('resource', this.authorizeResource)
+    }
+
     log(`\nPlease authorize this client by visiting:\n${authorizationUrl.toString()}\n`)
 
     if (DEBUG) debugLog('Redirecting to authorization URL', authorizationUrl.toString())
diff --git a/src/lib/types.ts b/src/lib/types.ts
@@ -27,6 +27,8 @@ export interface OAuthProviderOptions {
   staticOAuthClientMetadata?: StaticOAuthClientMetadata
   /** Static OAuth client information to use instead of OAuth registration */
   staticOAuthClientInfo?: StaticOAuthClientInformationFull
+  /** Resource parameter to send to the authorization server */
+  authorizeResource?: string
 }
 
 /**
diff --git a/src/lib/utils.ts b/src/lib/utils.ts
@@ -609,6 +609,14 @@ export async function parseCommandLineArgs(args: string[], usage: string) {
     }
   }
 
+  // Parse resource to authorize
+  let authorizeResource = '' // Default
+  const resourceIndex = args.indexOf('--resource')
+  if (resourceIndex !== -1 && resourceIndex < args.length - 1) {
+    authorizeResource = args[resourceIndex + 1]
+    log(`Using authorize resource: ${authorizeResource}`)
+  }
+
   if (!serverUrl) {
     log(usage)
     process.exit(1)
@@ -673,7 +681,17 @@ export async function parseCommandLineArgs(args: string[], usage: string) {
     })
   }
 
-  return { serverUrl, callbackPort, headers, transportStrategy, host, debug, staticOAuthClientMetadata, staticOAuthClientInfo }
+  return {
+    serverUrl,
+    callbackPort,
+    headers,
+    transportStrategy,
+    host,
+    debug,
+    staticOAuthClientMetadata,
+    staticOAuthClientInfo,
+    authorizeResource,
+  }
 }
 
 /**
diff --git a/src/proxy.ts b/src/proxy.ts
@@ -35,6 +35,7 @@ async function runProxy(
   host: string,
   staticOAuthClientMetadata: StaticOAuthClientMetadata,
   staticOAuthClientInfo: StaticOAuthClientInformationFull,
+  authorizeResource: string,
 ) {
   // Set up event emitter for auth flow
   const events = new EventEmitter()
@@ -53,6 +54,7 @@ async function runProxy(
     clientName: 'MCP CLI Proxy',
     staticOAuthClientMetadata,
     staticOAuthClientInfo,
+    authorizeResource,
   })
 
   // Create the STDIO transport for local connections
@@ -142,9 +144,30 @@ to the CA certificate file. If using claude_desktop_config.json, this might look
 
 // Parse command-line arguments and run the proxy
 parseCommandLineArgs(process.argv.slice(2), 'Usage: npx tsx proxy.ts <https://server-url> [callback-port] [--debug]')
-  .then(({ serverUrl, callbackPort, headers, transportStrategy, host, debug, staticOAuthClientMetadata, staticOAuthClientInfo }) => {
-    return runProxy(serverUrl, callbackPort, headers, transportStrategy, host, staticOAuthClientMetadata, staticOAuthClientInfo)
-  })
+  .then(
+    ({
+      serverUrl,
+      callbackPort,
+      headers,
+      transportStrategy,
+      host,
+      debug,
+      staticOAuthClientMetadata,
+      staticOAuthClientInfo,
+      authorizeResource,
+    }) => {
+      return runProxy(
+        serverUrl,
+        callbackPort,
+        headers,
+        transportStrategy,
+        host,
+        staticOAuthClientMetadata,
+        staticOAuthClientInfo,
+        authorizeResource,
+      )
+    },
+  )
   .catch((error) => {
     log('Fatal error:', error)
     process.exit(1)

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@ export interface OAuthProviderOptions {`
`27`	`27`	`staticOAuthClientMetadata?: StaticOAuthClientMetadata`
`28`	`28`	`/** Static OAuth client information to use instead of OAuth registration */`
`29`	`29`	`staticOAuthClientInfo?: StaticOAuthClientInformationFull`
	`30`	`+ /** Resource parameter to send to the authorization server */`
	`31`	`+ authorizeResource?: string`
`30`	`32`	`}`
`31`	`33`
`32`	`34`	`/**`