Add SDK MCP OAuth host token handlers#1669
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Auto-committed by java-codegen-check workflow.
github-actions
Bot
added
the
dependencies
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| InfiniteSessionConfig, | ||
| LargeToolOutputConfig, | ||
| MCPServerConfig, | ||
| McpAuthHandler, |
| MCPOauthPendingRequestResponse = Union[MCPOauthPendingRequestResponseCancelled, MCPOauthPendingRequestResponseToken] | ||
|
|
||
|
|
||
| def _load_mcp_oauth_pending_request_response(obj: Any) -> "MCPOauthPendingRequestResponse": |
Cross-SDK Consistency ReviewFeature coverage: ✅ All six SDKs covered The MCP OAuth host-token callback is implemented across Node.js, Python, Go, .NET, Java, and Rust in this PR. The feature is broadly consistent, with the API shaped appropriately for each language's idioms. 🐛 Bug found — Rust
|
| SDK | requestId accessible to handler? |
|---|---|
| Node.js | ✅ in McpAuthRequest.requestId |
| Python | ✅ in McpAuthRequest["requestId"] |
| Go | ✅ in MCPAuthRequest.RequestID |
| Java | ✅ in McpAuthRequest.requestId() |
| Rust | ✅ as separate request_id: RequestId parameter |
| .NET | ❌ not exposed in McpAuthContext |
requestId is internal routing data that users typically don't need. The .NET McpAuthContext design (hiding it) is arguably cleaner, but if there's ever a need for host-side correlation of concurrent OAuth requests, the .NET handler would be unable to distinguish them. This may be fine by design — just worth a deliberate call.
Everything else looks consistent ✅
- Handler registration pattern (opt-in interest registration for
mcp.oauth_required) is identical across all 6 SDKs. McpAuthResultcancellation semantics are consistent (each language uses its idiomatic pattern: enum in Rust, nullable in .NET, discriminated union in Node/Python, struct in Go, record in Java).- Both
create_session/resume_sessionpaths register interest in all SDKs. - Error-path fallback to cancellation on handler exceptions is present in all SDKs.
Generated by SDK Consistency Review Agent for issue #1669 · sonnet46 2.1M · ◷
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Generated by SDK Consistency Review Agent for issue #1669 · sonnet46 2.1M
| .field( | ||
| "mcp_auth_handler", | ||
| &self.mcp_auth_handler.as_ref().map(|_| "<set>"), | ||
| ) |
There was a problem hiding this comment.
Duplicate Debug field — Rust SessionConfig
The mcp_auth_handler field is emitted twice in the Debug implementation (lines 1462–1465 and 1466–1469 are identical). The second block should be removed; otherwise debug/trace output will contain duplicate keys and DebugStruct::finish() may behave unexpectedly with some formatters.
// Remove this duplicate block (lines 1466-1469):
.field(
"mcp_auth_handler",
&self.mcp_auth_handler.as_ref().map(|_| "<set>"),
)
| catch (Exception) | ||
| { | ||
| try | ||
| { | ||
| await Rpc.Mcp.Oauth.HandlePendingRequestAsync(requestId, new McpOauthPendingRequestResponseCancelled()); | ||
| } | ||
| catch (Exception rpcEx) when (rpcEx is IOException or ObjectDisposedException) | ||
| { | ||
| // Connection lost or RPC error — nothing we can do. | ||
| } | ||
| } |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
| export interface McpAuthStaticClientConfig { | ||
| /** OAuth client ID for the server. */ | ||
| clientId: string; | ||
| /** Optional non-default OAuth grant type. */ | ||
| grantType?: "client_credentials"; | ||
| /** Whether this is a public OAuth client. */ | ||
| publicClient?: boolean; |
There was a problem hiding this comment.
what about the clientSecret? A lot of AS's use client secrets even for public clients. (VS Code allows specifying a client secret, stored in secret storage)
| export interface McpAuthToken { | ||
| /** Access token acquired by the SDK host. */ | ||
| accessToken: string; | ||
| /** OAuth token type. Defaults to Bearer when omitted. */ | ||
| tokenType?: string; | ||
| /** Refresh token supplied by the host, if available. */ | ||
| refreshToken?: string; | ||
| /** Token lifetime in seconds, if known. */ | ||
| expiresIn?: number; | ||
| } |
There was a problem hiding this comment.
what about an idToken? idTokens are useful as they contain claims that are good to display like usernames/email/etc.
3 participants
Summary
session.mcp.oauth.handlePendingRequest,mcp.oauth_required, andmcp.oauth_completed.mcp.oauth_required.data.resourceMetadatathrough generated event DTOs and public MCP auth request handler models across SDK languages.wwwAuthenticateParamswhen older runtimes omit them.mcp.oauth_requiredinterest only when the high-level MCP auth callback is configured.Notes
Validation
cd nodejs && npm run typecheck && npx vitest run test/client.test.ts -t "MCP OAuth|McpAuth"passed.cd nodejs && npx prettier --check src/generated/session-events.ts src/types.ts test/client.test.ts test/e2e/mcp_oauth.e2e.test.ts ../test/harness/test-mcp-oauth-server.mjspassed./Users/roji/.copilot/repos/copilot-worktrees/copilot-agent-runtime/roji-ubiquitous-parakeetwithpnpm run build.cd nodejs && npx vitest run test/e2e/mcp_oauth.e2e.test.tspassed against the rebuilt sibling runtime.cd go && go test ./...passed.cd python && uv run --extra dev pytest ../python/test_client.py -k mcp_authpassed.cd dotnet && DOTNET_ROOT="$HOME/.dotnet" PATH="$HOME/.dotnet:$PATH" dotnet test test/GitHub.Copilot.SDK.Test.csproj --filter "FullyQualifiedName~SessionEventSerializationTests"passed.cd java && mvn spotless:apply && mvn verifypassed.cd rust && cargo test --features test-support --test session_test mcp_oauth_required_data_allows_optional_metadatapassed.