Skip to content

Allow delegating OAuth authorization to existing app-level implementations #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
m-paternostro opened this issue May 15, 2025 · 2 comments
Open

Allow delegating OAuth authorization to existing app-level implementations #497

m-paternostro opened this issue May 15, 2025 · 2 comments
Labels
enhancement New feature or request

Comments

@m-paternostro
Copy link
Contributor

m-paternostro commented May 15, 2025
edited
Loading

Is your feature request related to a problem? Please describe.

When embedding an MCP client into an application that already has its own authentication mechanism - such as a mobile app, a server with an identity layer, or in my case, a VS Code extension - there’s no clean way to reuse that existing auth flow.

Currently, the SDK requires a full end-to-end OAuth flow even when a valid token is already managed elsewhere. If I want to inject my own logic (e.g., refresh a token silently or use a system credential store), the only workaround is to subclass SSEClientTransport and/or StreamableHTTPClientTransport and override methods like send. Unfortunately, the relevant methods are mostly private or tightly coupled, which makes this approach fragile and hard to maintain over time.

Describe the solution you'd like

I’ve proposed an optional method, OAuthClientProvider.delegateAuthorization, that lets clients provide their own pre-auth logic.

If implemented, this hook is called before the SDK starts the standard OAuth flow. If it returns "AUTHORIZED", the SDK skips its own auth logic. If it returns undefined, everything proceeds as normal.

This enables use cases like:

  • Refreshing tokens from a shared identity system
  • Using ambient credentials from a native environment
  • Rehydrating persisted sessions from the host app

Describe alternatives you've considered

As mentioned, the only current workaround is to subclass the transport classes and override private methods—reimplementing large chunks of code like send or _authThenStart. This is brittle and makes it harder to keep up with SDK changes.

Additional context

The proposed solution is passive and backward-compatible. If you don’t implement delegateAuthorization, nothing changes. But if you do, you gain full control over how your client handles the first authorization event (e.g., after a 401).

Would love your thoughts on the proposal in PR #485!
@m-paternostro m-paternostro added the enhancement New feature or request label May 15, 2025
@Mizommz
Copy link

Mizommz commented May 16, 2025

https://modelcontextprotocol.io/introduction#get-started

@m-paternostro
Copy link
Contributor Author

m-paternostro commented May 16, 2025
edited
Loading

@Mizommz I am sorry, but I did not get how anything on the get-started can help me :-/

In fact I don't think I've stumbled on any reference to OAuth, which this FR and associated PR are about.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mizommz @m-paternostro