feat(auth): add OAuth 2.1 provider for MCP connector support

[waleedlatif1]

Summary

• Add OAuth 2.1 Authorization Code + PKCE provider using Better Auth's oidcProvider and jwt plugins
• Add consent page with app logos, signed-in account display, and account switching
• Add Bearer token auth to MCP copilot endpoint (dual auth: OAuth + API key)
• Update well-known metadata endpoints to point to real OIDC provider
• Add CORS headers for cross-origin OAuth from claude.ai
• Add DB schema + migration for oauth_application, oauth_access_token, oauth_consent, jwks tables
• Force light theme on /oauth routes

Type of Change

• New feature

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 20, 2026 10:04pm

[greptile-apps]

Greptile Summary

This PR implements a complete OAuth 2.1 Authorization Code + PKCE provider to enable MCP connector support for Claude.ai. The implementation adds four new database tables (oauth_application, oauth_access_token, oauth_consent, jwks) with proper foreign keys and indexes, integrates Better Auth's oidcProvider and jwt plugins, and creates a polished consent page with account switching functionality. The MCP copilot endpoint now supports dual authentication (OAuth Bearer tokens or API keys), and CORS headers are configured to allow cross-origin requests from claude.ai.

Key Changes:

• Added OAuth 2.1 provider with mandatory PKCE (S256 only) and dynamic client registration
• Implemented consent page with app logos, signed-in account display, and account switching
• Added Bearer token authentication to /api/mcp/copilot with mcp:tools scope validation
• Updated OAuth discovery metadata to point to real OIDC endpoints instead of placeholders
• Added MCP tool annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) for Connectors Directory compliance
• Configured CORS for OAuth endpoints, JWKS, and well-known metadata
• Force light theme on /oauth routes for consistent UX

Security Posture:

• PKCE is required with S256 (plain code challenge method disabled)
• Access token expiry is properly validated with database-level checks
• OAuth tokens are stored hashed by Better Auth (as confirmed by developer)
• Proper session validation on authorize-params endpoint prevents cross-user access
• WWW-Authenticate header correctly indicates required scope when auth is missing

Confidence Score: 4/5

• Safe to merge with one minor scope validation issue
• Implementation follows OAuth 2.1 best practices with PKCE, proper token validation, and secure CORS configuration. Security concerns from previous reviews were adequately addressed. Score reduced by 1 due to a potential scope bypass in the MCP endpoint when using OAuth (see comment).
• Check apps/sim/app/api/mcp/copilot/route.ts for the scope validation logic

Important Files Changed

Filename	Overview
apps/sim/lib/auth/auth.ts	Added OAuth 2.1 provider with PKCE, JWT plugin, and trusted origins for claude.ai
apps/sim/lib/auth/oauth-token.ts	New token validation logic with proper expiry and scope checks
packages/db/schema.ts	Added OAuth tables with proper foreign keys, indexes, and cascade deletes
apps/sim/app/api/mcp/copilot/route.ts	Added OAuth Bearer token auth alongside API key auth, with scope validation and WWW-Authenticate header
apps/sim/app/(auth)/oauth/consent/page.tsx	New consent UI with account switching, scope display, and proper error handling
apps/sim/next.config.ts	Added CORS headers for OAuth endpoints, well-known metadata, and MCP copilot

Sequence Diagram

sequenceDiagram
    participant Client as Claude.ai
    participant Auth as /api/auth/oauth2
    participant Consent as /oauth/consent
    participant User as User Browser
    participant MCP as /api/mcp/copilot
    participant DB as Database

    Client->>Auth: GET /authorize with client_id, redirect_uri, code_challenge, scope
    Auth->>User: Redirect to /login (if not authenticated)
    User->>Auth: Login complete
    Auth->>Consent: Redirect to consent page with consent_code
    Consent->>DB: Fetch client info
    DB-->>Consent: Return client metadata
    User->>Consent: Click Allow or Deny
    Consent->>Auth: POST /consent with accept and consent_code
    Auth->>DB: Store consent and generate auth code
    Auth-->>Client: Redirect with authorization code
    Client->>Auth: POST /token with code and code_verifier
    Auth->>DB: Verify PKCE and create access token
    DB-->>Auth: Return access and refresh tokens
    Auth-->>Client: Return token response
    Client->>MCP: POST /copilot with Bearer token
    MCP->>DB: Validate token and check scopes
    DB-->>MCP: Return userId and scopes
    MCP-->>Client: Execute MCP tool request

Loading

_{Last reviewed commit: c45ad4b}

[greptile-apps]

_{11 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[greptile-apps]

_{12 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[greptile-apps]

_{14 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}