Skip to content

MCP improvements #5699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rekram1-node merged 5 commits into from
Dec 18, 2025
Merged

MCP improvements #5699

rekram1-node merged 5 commits into from
Dec 18, 2025
+132 −59

Conversation

@roerohan
Copy link
Contributor

@roerohan roerohan commented Dec 17, 2025

  1. The state parameter is a random generated string now (as per OAuth 2.0 spec). We validate in the callback that the same string is received.
  2. Previously, if you changed the URL for an MCP server (with oauth enabled), it would stop working. For example, if you had a gitlab MCP server and you changed the URL from https://gitlab.com/mcp to https://gitlab.mycompany.com/mcp, it would not work. To make it work, you'd have to rename the MCP server (to gitlab-2 or something) or create a new one. This PR fixes that as well.
image

Tested locally.

@roerohan
fix: added oauth state validation to MCP auth
e67a5d6
@roerohan
chore: rename mcpName -> oauthState for clarity
5379117
@roerohan
fix: state generation in startAuth
0f4015f
@roerohan
fix: allow changing MCP URL for same name
a2d4ca0 
Added URL tracking to MCP OAuth credentials to automatically invalidate auth when server URL changes. The auth provider now validates stored credentials against the current server URL, triggering re-authentication when the URL is updated in config.
@roerohan
chore: format
556dd60
@rekram1-node
Copy link
Collaborator

rekram1-node commented Dec 17, 2025

/review

@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025

lgtm

@rekram1-node rekram1-node merged commit 7427b88 into sst:dev Dec 18, 2025
3 checks passed
@roerohan roerohan deleted the fix-oauth-state branch December 18, 2025 02:50
shuv1337 added a commit to Latitudes-Dev/shuvcode that referenced this pull request Dec 18, 2025
@shuv1337 @R44VC0RP
@actions-user @jayair @roerohan @fwang @jknlsn @devxoul @Brendonovich @opencode-agent
sync: merge upstream v1.0.167 (#143)
7ae7673 
* docs: add opencode.cafe to ecosystem page (sst#5714)

* chore: format code

* docs: add legal pages with privacy policy and terms of service links

* MCP improvements (sst#5699)

* zen: error handling for stream requests

* feat(tui): add option to disable terminal title (sst#5713)

* docs: add OPENCODE_DISABLE_TERMINAL_TITLE to environment variables (sst#5725)

* chore: format code

* zen: error handling for stream requests

* tauri: server spawn fail dialog w/ copy logs button (sst#5729)

* tauri: say OpenCode Server instead of OpenCode CLI

* fix: handle empty directory query parameter in server middleware (sst#5732)

* release: v1.0.167

* sync: record last synced tag v1.0.167

---------

Co-authored-by: Ryan Vogel <[email protected]>
Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Jay V <[email protected]>
Co-authored-by: Rohan Mukherjee <[email protected]>
Co-authored-by: Frank <[email protected]>
Co-authored-by: Jake Nelson <[email protected]>
Co-authored-by: Jeon Suyeol <[email protected]>
Co-authored-by: Brendan Allan <[email protected]>
Co-authored-by: opencode <[email protected]>
Co-authored-by: opencode-agent[bot] <opencode-agent[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roerohan @rekram1-node