Merge pull request #143 from modelcontextprotocol/justin/sdk-auth

Refactor to use auth from SDK

Author: jerome3o-anthropic

client/package.json

@@ -21,7 +21,7 @@
     "preview": "vite preview"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.4.1",
+    "@modelcontextprotocol/sdk": "^1.6.1",
     "@radix-ui/react-dialog": "^1.1.3",
     "@radix-ui/react-checkbox": "^1.1.4",
     "@radix-ui/react-icons": "^1.3.0",

client/src/components/OAuthCallback.tsx

@@ -1,6 +1,7 @@
 import { useEffect, useRef } from "react";
-import { handleOAuthCallback } from "../lib/auth";
+import { authProvider } from "../lib/auth";
 import { SESSION_KEYS } from "../lib/constants";
+import { auth } from "@modelcontextprotocol/sdk/client/auth.js";
 
 const OAuthCallback = () => {
   const hasProcessedRef = useRef(false);
@@ -24,15 +25,16 @@ const OAuthCallback = () => {
       }
 
       try {
-        const tokens = await handleOAuthCallback(serverUrl, code);
-        // Store both access and refresh tokens
-        sessionStorage.setItem(SESSION_KEYS.ACCESS_TOKEN, tokens.access_token);
-        if (tokens.refresh_token) {
-          sessionStorage.setItem(
-            SESSION_KEYS.REFRESH_TOKEN,
-            tokens.refresh_token,
+        const result = await auth(authProvider, {
+          serverUrl,
+          authorizationCode: code,
+        });
+        if (result !== "AUTHORIZED") {
+          throw new Error(
+            `Expected to be authorized after providing auth code, got: ${result}`,
           );
         }
+
         // Redirect back to the main app with server URL to trigger auto-connect
         window.location.href = `/?serverUrl=${encodeURIComponent(serverUrl)}`;
       } catch (error) {

client/src/lib/auth.ts

@@ -1,134 +1,73 @@
-import pkceChallenge from "pkce-challenge";
+import { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import {
+  OAuthClientInformationSchema,
+  OAuthClientInformation,
+  OAuthTokens,
+  OAuthTokensSchema,
+} from "@modelcontextprotocol/sdk/shared/auth.js";
 import { SESSION_KEYS } from "./constants";
-import { z } from "zod";
 
-export const OAuthMetadataSchema = z.object({
-  authorization_endpoint: z.string(),
-  token_endpoint: z.string(),
-});
-
-export type OAuthMetadata = z.infer<typeof OAuthMetadataSchema>;
-
-export const OAuthTokensSchema = z.object({
-  access_token: z.string(),
-  refresh_token: z.string().optional(),
-  expires_in: z.number().optional(),
-});
-
-export type OAuthTokens = z.infer<typeof OAuthTokensSchema>;
-
-export async function discoverOAuthMetadata(
-  serverUrl: string,
-): Promise<OAuthMetadata> {
-  try {
-    const url = new URL("/.well-known/oauth-authorization-server", serverUrl);
-    const response = await fetch(url.toString());
-
-    if (response.ok) {
-      const metadata = await response.json();
-      const validatedMetadata = OAuthMetadataSchema.parse({
-        authorization_endpoint: metadata.authorization_endpoint,
-        token_endpoint: metadata.token_endpoint,
-      });
-      return validatedMetadata;
-    }
-  } catch (error) {
-    console.warn("OAuth metadata discovery failed:", error);
+class InspectorOAuthClientProvider implements OAuthClientProvider {
+  get redirectUrl() {
+    return window.location.origin + "/oauth/callback";
   }
 
-  // Fall back to default endpoints
-  const baseUrl = new URL(serverUrl);
-  const defaultMetadata = {
-    authorization_endpoint: new URL("/authorize", baseUrl).toString(),
-    token_endpoint: new URL("/token", baseUrl).toString(),
-  };
-  return OAuthMetadataSchema.parse(defaultMetadata);
-}
-
-export async function startOAuthFlow(serverUrl: string): Promise<string> {
-  // Generate PKCE challenge
-  const challenge = await pkceChallenge();
-  const codeVerifier = challenge.code_verifier;
-  const codeChallenge = challenge.code_challenge;
-
-  // Store code verifier for later use
-  sessionStorage.setItem(SESSION_KEYS.CODE_VERIFIER, codeVerifier);
-
-  // Discover OAuth endpoints
-  const metadata = await discoverOAuthMetadata(serverUrl);
+  get clientMetadata() {
+    return {
+      redirect_uris: [this.redirectUrl],
+      token_endpoint_auth_method: "none",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      client_name: "MCP Inspector",
+      client_uri: "https://github.com/modelcontextprotocol/inspector",
+    };
+  }
 
-  // Build authorization URL
-  const authUrl = new URL(metadata.authorization_endpoint);
-  authUrl.searchParams.set("response_type", "code");
-  authUrl.searchParams.set("code_challenge", codeChallenge);
-  authUrl.searchParams.set("code_challenge_method", "S256");
-  authUrl.searchParams.set(
-    "redirect_uri",
-    window.location.origin + "/oauth/callback",
-  );
+  async clientInformation() {
+    const value = sessionStorage.getItem(SESSION_KEYS.CLIENT_INFORMATION);
+    if (!value) {
+      return undefined;
+    }
 
-  return authUrl.toString();
-}
+    return await OAuthClientInformationSchema.parseAsync(JSON.parse(value));
+  }
 
-export async function handleOAuthCallback(
-  serverUrl: string,
-  code: string,
-): Promise<OAuthTokens> {
-  // Get stored code verifier
-  const codeVerifier = sessionStorage.getItem(SESSION_KEYS.CODE_VERIFIER);
-  if (!codeVerifier) {
-    throw new Error("No code verifier found");
+  saveClientInformation(clientInformation: OAuthClientInformation) {
+    sessionStorage.setItem(
+      SESSION_KEYS.CLIENT_INFORMATION,
+      JSON.stringify(clientInformation),
+    );
   }
 
-  // Discover OAuth endpoints
-  const metadata = await discoverOAuthMetadata(serverUrl);
-  // Exchange code for tokens
-  const response = await fetch(metadata.token_endpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-    },
-    body: new URLSearchParams({
-      grant_type: "authorization_code",
-      code,
-      code_verifier: codeVerifier,
-      redirect_uri: window.location.origin + "/oauth/callback",
-    }),
-  });
+  async tokens() {
+    const tokens = sessionStorage.getItem(SESSION_KEYS.TOKENS);
+    if (!tokens) {
+      return undefined;
+    }
 
-  if (!response.ok) {
-    throw new Error("Token exchange failed");
+    return await OAuthTokensSchema.parseAsync(JSON.parse(tokens));
   }
 
-  const tokens = await response.json();
-  return OAuthTokensSchema.parse(tokens);
-}
+  saveTokens(tokens: OAuthTokens) {
+    sessionStorage.setItem(SESSION_KEYS.TOKENS, JSON.stringify(tokens));
+  }
 
-export async function refreshAccessToken(
-  serverUrl: string,
-): Promise<OAuthTokens> {
-  const refreshToken = sessionStorage.getItem(SESSION_KEYS.REFRESH_TOKEN);
-  if (!refreshToken) {
-    throw new Error("No refresh token available");
+  redirectToAuthorization(authorizationUrl: URL) {
+    window.location.href = authorizationUrl.href;
   }
 
-  const metadata = await discoverOAuthMetadata(serverUrl);
+  saveCodeVerifier(codeVerifier: string) {
+    sessionStorage.setItem(SESSION_KEYS.CODE_VERIFIER, codeVerifier);
+  }
 
-  const response = await fetch(metadata.token_endpoint, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-    },
-    body: new URLSearchParams({
-      grant_type: "refresh_token",
-      refresh_token: refreshToken,
-    }),
-  });
+  codeVerifier() {
+    const verifier = sessionStorage.getItem(SESSION_KEYS.CODE_VERIFIER);
+    if (!verifier) {
+      throw new Error("No code verifier saved for session");
+    }
 
-  if (!response.ok) {
-    throw new Error("Token refresh failed");
+    return verifier;
   }
-
-  const tokens = await response.json();
-  return OAuthTokensSchema.parse(tokens);
 }
+
+export const authProvider = new InspectorOAuthClientProvider();

client/src/lib/constants.ts

@@ -2,6 +2,6 @@
 export const SESSION_KEYS = {
   CODE_VERIFIER: "mcp_code_verifier",
   SERVER_URL: "mcp_server_url",
-  ACCESS_TOKEN: "mcp_access_token",
-  REFRESH_TOKEN: "mcp_refresh_token",
+  TOKENS: "mcp_tokens",
+  CLIENT_INFORMATION: "mcp_client_information",
 } as const;

client/src/lib/hooks/useConnection.ts

@@ -21,9 +21,10 @@ import {
 import { useState } from "react";
 import { toast } from "react-toastify";
 import { z } from "zod";
-import { startOAuthFlow, refreshAccessToken } from "../auth";
 import { SESSION_KEYS } from "../constants";
 import { Notification, StdErrNotificationSchema } from "../notificationTypes";
+import { auth } from "@modelcontextprotocol/sdk/client/auth.js";
+import { authProvider } from "../auth";
 
 const DEFAULT_REQUEST_TIMEOUT_MSEC = 10000;
 
@@ -183,45 +184,14 @@ export function useConnection({
     }
   };
 
-  const initiateOAuthFlow = async () => {
-    sessionStorage.removeItem(SESSION_KEYS.ACCESS_TOKEN);
-    sessionStorage.removeItem(SESSION_KEYS.REFRESH_TOKEN);
-    sessionStorage.setItem(SESSION_KEYS.SERVER_URL, sseUrl);
-    const redirectUrl = await startOAuthFlow(sseUrl);
-    window.location.href = redirectUrl;
-  };
-
-  const handleTokenRefresh = async () => {
-    try {
-      const tokens = await refreshAccessToken(sseUrl);
-      sessionStorage.setItem(SESSION_KEYS.ACCESS_TOKEN, tokens.access_token);
-      if (tokens.refresh_token) {
-        sessionStorage.setItem(
-          SESSION_KEYS.REFRESH_TOKEN,
-          tokens.refresh_token,
-        );
-      }
-      return tokens.access_token;
-    } catch (error) {
-      console.error("Token refresh failed:", error);
-      await initiateOAuthFlow();
-      throw error;
-    }
-  };
-
   const handleAuthError = async (error: unknown) => {
     if (error instanceof SseError && error.code === 401) {
-      if (sessionStorage.getItem(SESSION_KEYS.REFRESH_TOKEN)) {
-        try {
-          await handleTokenRefresh();
-          return true;
-        } catch (error) {
-          console.error("Token refresh failed:", error);
-        }
-      } else {
-        await initiateOAuthFlow();
-      }
+      sessionStorage.setItem(SESSION_KEYS.SERVER_URL, sseUrl);
+
+      const result = await auth(authProvider, { serverUrl: sseUrl });
+      return result === "AUTHORIZED";
     }
+
     return false;
   };
 
@@ -253,10 +223,12 @@ export function useConnection({
         backendUrl.searchParams.append("url", sseUrl);
       }
 
+      // Inject auth manually instead of using SSEClientTransport, because we're
+      // proxying through the inspector server first.
       const headers: HeadersInit = {};
-      const accessToken = sessionStorage.getItem(SESSION_KEYS.ACCESS_TOKEN);
-      if (accessToken) {
-        headers["Authorization"] = `Bearer ${accessToken}`;
+      const tokens = await authProvider.tokens();
+      if (tokens) {
+        headers["Authorization"] = `Bearer ${tokens.access_token}`;
       }
 
       const clientTransport = new SSEClientTransport(backendUrl, {