Skip to content

feat(auth): add OAuth 2.1 provider for MCP connector support#3274

Merged
waleedlatif1 merged 11 commits intostagingfrom
feat/oauth-provider
Feb 20, 2026
Merged

feat(auth): add OAuth 2.1 provider for MCP connector support#3274
waleedlatif1 merged 11 commits intostagingfrom
feat/oauth-provider

Conversation

@waleedlatif1
Copy link
Collaborator

Summary

  • Add OAuth 2.1 Authorization Code + PKCE provider using Better Auth's oidcProvider and jwt plugins
  • Add consent page with app logos, signed-in account display, and account switching
  • Add Bearer token auth to MCP copilot endpoint (dual auth: OAuth + API key)
  • Update well-known metadata endpoints to point to real OIDC provider
  • Add CORS headers for cross-origin OAuth from claude.ai
  • Add DB schema + migration for oauth_application, oauth_access_token, oauth_consent, jwks tables
  • Force light theme on /oauth routes

Type of Change

  • New feature

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Feb 20, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 20, 2026 10:04pm

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 20, 2026

Greptile Summary

This PR implements a complete OAuth 2.1 Authorization Code + PKCE provider to enable MCP connector support for Claude.ai. The implementation adds four new database tables (oauth_application, oauth_access_token, oauth_consent, jwks) with proper foreign keys and indexes, integrates Better Auth's oidcProvider and jwt plugins, and creates a polished consent page with account switching functionality. The MCP copilot endpoint now supports dual authentication (OAuth Bearer tokens or API keys), and CORS headers are configured to allow cross-origin requests from claude.ai.

Key Changes:

  • Added OAuth 2.1 provider with mandatory PKCE (S256 only) and dynamic client registration
  • Implemented consent page with app logos, signed-in account display, and account switching
  • Added Bearer token authentication to /api/mcp/copilot with mcp:tools scope validation
  • Updated OAuth discovery metadata to point to real OIDC endpoints instead of placeholders
  • Added MCP tool annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) for Connectors Directory compliance
  • Configured CORS for OAuth endpoints, JWKS, and well-known metadata
  • Force light theme on /oauth routes for consistent UX

Security Posture:

  • PKCE is required with S256 (plain code challenge method disabled)
  • Access token expiry is properly validated with database-level checks
  • OAuth tokens are stored hashed by Better Auth (as confirmed by developer)
  • Proper session validation on authorize-params endpoint prevents cross-user access
  • WWW-Authenticate header correctly indicates required scope when auth is missing

Confidence Score: 4/5

  • Safe to merge with one minor scope validation issue
  • Implementation follows OAuth 2.1 best practices with PKCE, proper token validation, and secure CORS configuration. Security concerns from previous reviews were adequately addressed. Score reduced by 1 due to a potential scope bypass in the MCP endpoint when using OAuth (see comment).
  • Check apps/sim/app/api/mcp/copilot/route.ts for the scope validation logic

Important Files Changed

Filename Overview
apps/sim/lib/auth/auth.ts Added OAuth 2.1 provider with PKCE, JWT plugin, and trusted origins for claude.ai
apps/sim/lib/auth/oauth-token.ts New token validation logic with proper expiry and scope checks
packages/db/schema.ts Added OAuth tables with proper foreign keys, indexes, and cascade deletes
apps/sim/app/api/mcp/copilot/route.ts Added OAuth Bearer token auth alongside API key auth, with scope validation and WWW-Authenticate header
apps/sim/app/(auth)/oauth/consent/page.tsx New consent UI with account switching, scope display, and proper error handling
apps/sim/next.config.ts Added CORS headers for OAuth endpoints, well-known metadata, and MCP copilot

Sequence Diagram

sequenceDiagram
    participant Client as Claude.ai
    participant Auth as /api/auth/oauth2
    participant Consent as /oauth/consent
    participant User as User Browser
    participant MCP as /api/mcp/copilot
    participant DB as Database

    Client->>Auth: GET /authorize with client_id, redirect_uri, code_challenge, scope
    Auth->>User: Redirect to /login (if not authenticated)
    User->>Auth: Login complete
    Auth->>Consent: Redirect to consent page with consent_code
    Consent->>DB: Fetch client info
    DB-->>Consent: Return client metadata
    User->>Consent: Click Allow or Deny
    Consent->>Auth: POST /consent with accept and consent_code
    Auth->>DB: Store consent and generate auth code
    Auth-->>Client: Redirect with authorization code
    Client->>Auth: POST /token with code and code_verifier
    Auth->>DB: Verify PKCE and create access token
    DB-->>Auth: Return access and refresh tokens
    Auth-->>Client: Return token response
    Client->>MCP: POST /copilot with Bearer token
    MCP->>DB: Validate token and check scopes
    DB-->>MCP: Return userId and scopes
    MCP-->>Client: Execute MCP tool request
Loading

Last reviewed commit: c45ad4b

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

11 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

@waleedlatif1
Copy link
Collaborator Author

@greptile

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

12 files reviewed, 4 comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

14 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@waleedlatif1 waleedlatif1 merged commit 3fa4bb4 into staging Feb 20, 2026
12 checks passed
@waleedlatif1 waleedlatif1 deleted the feat/oauth-provider branch February 20, 2026 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant