Fix: MCP OAuth authentication for servers with client allowlists (#88)

Author: jjjrmy

src/main/index.ts

@@ -248,7 +248,7 @@ const FAVICON_SVG = `<svg width="32" height="32" viewBox="0 0 1024 1024" fill="n
 const FAVICON_DATA_URI = `data:image/svg+xml,${encodeURIComponent(FAVICON_SVG)}`
 
 // Start local HTTP server for auth callbacks
-// This catches http://localhost:{AUTH_SERVER_PORT}/auth/callback?code=xxx and /mcp-oauth/callback
+// This catches http://localhost:{AUTH_SERVER_PORT}/auth/callback?code=xxx and /callback (for MCP OAuth)
 const server = createServer((req, res) => {
     const url = new URL(req.url || "", `http://localhost:${AUTH_SERVER_PORT}`)
 
@@ -339,8 +339,8 @@ const server = createServer((req, res) => {
         res.writeHead(400, { "Content-Type": "text/plain" })
         res.end("Missing code parameter")
       }
-    } else if (url.pathname === "/mcp-oauth/callback") {
-      // Handle MCP OAuth callback in dev mode
+    } else if (url.pathname === "/callback") {
+      // Handle MCP OAuth callback
       const code = url.searchParams.get("code")
       const state = url.searchParams.get("state")
       console.log(

src/main/lib/mcp-auth.ts

@@ -139,8 +139,8 @@ const OAUTH_TIMEOUT_MS = 5 * 60 * 1000;
 
 function getMcpOAuthRedirectUri(): string {
   return IS_DEV
-    ? `http://localhost:${AUTH_SERVER_PORT}/mcp-oauth/callback`
-    : `http://127.0.0.1:${AUTH_SERVER_PORT}/mcp-oauth/callback`;
+    ? `http://localhost:${AUTH_SERVER_PORT}/callback`
+    : `http://127.0.0.1:${AUTH_SERVER_PORT}/callback`;
 }
 
 interface PendingOAuth {
@@ -149,6 +149,7 @@ interface PendingOAuth {
   codeVerifier: string;
   tokenEndpoint: string;
   clientId: string;
+  clientSecret?: string;
   redirectUri: string;
   resolve: (result: { success: boolean; error?: string }) => void;
   timeoutId: NodeJS.Timeout;
@@ -169,7 +170,7 @@ export async function startMcpOAuth(
   const serverConfig = getMcpServerConfig(config, projectPath, serverName);
 
   if (!serverConfig?.url) {
-    throw new Error(`MCP server "${serverName}" URL not configured`);
+    return { success: false, error: `MCP server "${serverName}" URL not configured` };
   }
 
   // 2. Use CraftOAuth for OAuth logic
@@ -180,7 +181,16 @@ export async function startMcpOAuth(
   );
 
   // 3. Start OAuth flow (fetches metadata from .well-known, then gets auth URL)
-  const { authUrl, state, codeVerifier, tokenEndpoint, clientId } = await oauth.startAuthFlow();
+  let authFlowResult;
+  try {
+    authFlowResult = await oauth.startAuthFlow();
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    console.error(`[MCP OAuth] Failed to start auth flow: ${msg}`);
+    return { success: false, error: msg };
+  }
+
+  const { authUrl, state, codeVerifier, tokenEndpoint, clientId, clientSecret } = authFlowResult;
 
   // 4. Store pending flow and wait for callback
   return new Promise((resolve) => {
@@ -195,6 +205,7 @@ export async function startMcpOAuth(
       codeVerifier,
       tokenEndpoint,
       clientId,
+      clientSecret,
       redirectUri,
       resolve,
       timeoutId,
@@ -237,7 +248,8 @@ export async function handleMcpOAuthCallback(code: string, state: string): Promi
       code,
       pending.codeVerifier,
       pending.tokenEndpoint,
-      pending.clientId
+      pending.clientId,
+      pending.clientSecret
     );
 
     // 3. Save to ~/.claude.json

src/main/lib/oauth.ts

@@ -45,8 +45,11 @@ export interface OAuthCallbacks {
 }
 
 const CALLBACK_PORT = 8914;
-const CALLBACK_PATH = '/oauth/callback';
+const CALLBACK_PATH = '/callback';
+// Client names for OAuth registration
+// Some MCP servers (like Figma) have an allowlist - try '1code' first, fall back to 'Codex'
 const CLIENT_NAME = '1code';
+const FALLBACK_CLIENT_NAME = 'Codex';
 
 /**
  * Generate a styled OAuth callback page with terminal emulator aesthetic
@@ -537,7 +540,7 @@ export class CraftOAuth {
   }
 
   // Register OAuth client dynamically
-  private async registerClient(registrationEndpoint: string): Promise<{
+  private async registerClient(registrationEndpoint: string, clientName: string): Promise<{
     client_id: string;
     client_secret?: string;
   }> {
@@ -547,7 +550,7 @@ export class CraftOAuth {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
-        client_name: CLIENT_NAME,
+        client_name: clientName,
         redirect_uris: [redirectUri],
         grant_types: ['authorization_code', 'refresh_token'],
         response_types: ['code'],
@@ -572,7 +575,8 @@ export class CraftOAuth {
     code: string,
     codeVerifier: string,
     clientId: string,
-    redirectUri?: string
+    redirectUri?: string,
+    clientSecret?: string
   ): Promise<OAuthTokens> {
     const uri = redirectUri || this.config.redirectUri || `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
 
@@ -584,6 +588,11 @@ export class CraftOAuth {
       code_verifier: codeVerifier,
     });
 
+    // Add client_secret if provided (some servers require it)
+    if (clientSecret) {
+      params.set('client_secret', clientSecret);
+    }
+
     const response = await fetch(tokenEndpoint, {
       method: 'POST',
       headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
@@ -686,15 +695,24 @@ export class CraftOAuth {
     // Register client if endpoint available
     let clientId: string;
     if (metadata.registration_endpoint) {
-      this.callbacks.onStatus(`Registering client at ${metadata.registration_endpoint}...`);
+      // Try primary client name first, fall back to alternative if rejected
+      this.callbacks.onStatus(`Registering client as '${CLIENT_NAME}'...`);
       try {
-        const client = await this.registerClient(metadata.registration_endpoint);
+        const client = await this.registerClient(metadata.registration_endpoint, CLIENT_NAME);
         clientId = client.client_id;
         this.callbacks.onStatus(`Registered as client: ${clientId}`);
       } catch (error) {
-        const msg = error instanceof Error ? error.message : 'Unknown error';
-        this.callbacks.onStatus(`Client registration failed: ${msg}`);
-        throw error;
+        // Try fallback client name (some servers have allowlists)
+        this.callbacks.onStatus(`Registration as '${CLIENT_NAME}' failed, trying '${FALLBACK_CLIENT_NAME}'...`);
+        try {
+          const client = await this.registerClient(metadata.registration_endpoint, FALLBACK_CLIENT_NAME);
+          clientId = client.client_id;
+          this.callbacks.onStatus(`Registered as client: ${clientId}`);
+        } catch (fallbackError) {
+          const msg = fallbackError instanceof Error ? fallbackError.message : 'Unknown error';
+          this.callbacks.onStatus(`Client registration failed: ${msg}`);
+          throw fallbackError;
+        }
       }
     } else {
       // Use a default client ID for public clients
@@ -754,16 +772,32 @@ export class CraftOAuth {
     codeVerifier: string;
     tokenEndpoint: string;
     clientId: string;
+    clientSecret?: string;
   }> {
     this.callbacks.onStatus('Fetching OAuth server configuration...');
     const metadata = preloadedMetadata || await this.getServerMetadata();
 
     // Register client if endpoint available
     let clientId: string;
+    let clientSecret: string | undefined;
     if (metadata.registration_endpoint) {
-      const client = await this.registerClient(metadata.registration_endpoint);
-      clientId = client.client_id;
+      // Try primary client name first, fall back to alternative if rejected
+      this.callbacks.onStatus(`Registering client as '${CLIENT_NAME}'...`);
+      try {
+        const client = await this.registerClient(metadata.registration_endpoint, CLIENT_NAME);
+        clientId = client.client_id;
+        clientSecret = client.client_secret;
+        this.callbacks.onStatus(`Registered as client: ${clientId}`);
+      } catch (error) {
+        // Try fallback client name (some servers have allowlists)
+        this.callbacks.onStatus(`Registration as '${CLIENT_NAME}' failed, trying '${FALLBACK_CLIENT_NAME}'...`);
+        const client = await this.registerClient(metadata.registration_endpoint, FALLBACK_CLIENT_NAME);
+        clientId = client.client_id;
+        clientSecret = client.client_secret;
+        this.callbacks.onStatus(`Registered as client: ${clientId}`);
+      }
     } else {
+      // No registration endpoint - use default client ID
       clientId = '1code';
     }
 
@@ -785,6 +819,7 @@ export class CraftOAuth {
       codeVerifier: pkce.verifier,
       tokenEndpoint: metadata.token_endpoint,
       clientId,
+      clientSecret,
     };
   }
 
@@ -795,10 +830,11 @@ export class CraftOAuth {
     code: string,
     codeVerifier: string,
     tokenEndpoint: string,
-    clientId: string
+    clientId: string,
+    clientSecret?: string
   ): Promise<OAuthTokens> {
     const redirectUri = this.config.redirectUri || `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
-    return this.exchangeCodeForTokens(tokenEndpoint, code, codeVerifier, clientId, redirectUri);
+    return this.exchangeCodeForTokens(tokenEndpoint, code, codeVerifier, clientId, redirectUri, clientSecret);
   }
 
   // Start local HTTP server to receive OAuth callback

src/renderer/components/dialogs/settings-tabs/agents-mcp-tab.tsx

@@ -80,8 +80,11 @@ function ServerRow({ server, isExpanded, onToggle, onAuth }: ServerRowProps) {
 
   return (
     <div>
-      <button
+      <div
+        role={hasTools ? "button" : undefined}
+        tabIndex={hasTools ? 0 : undefined}
         onClick={hasTools ? onToggle : undefined}
+        onKeyDown={hasTools ? (e) => { if (e.key === "Enter" || e.key === " ") { e.preventDefault(); onToggle(); } } : undefined}
         className={cn(
           "w-full flex items-center gap-3 p-3 text-left transition-colors",
           hasTools && "hover:bg-muted/50 cursor-pointer",
@@ -140,7 +143,7 @@ function ServerRow({ server, isExpanded, onToggle, onAuth }: ServerRowProps) {
             {isConnected ? "Reconnect" : "Auth"}
           </Button>
         )}
-      </button>
+      </div>
 
       {/* Expanded tools list */}
       <AnimatePresence>
@@ -233,7 +236,10 @@ export function AgentsMcpTab() {
         toast.error(result.error || "Authentication failed")
       }
     } catch (error) {
-      toast.error("Authentication failed")
+      // Extract actual error message from tRPC error
+      const message = error instanceof Error ? error.message : "Authentication failed";
+      console.error(`[MCP Auth] Error authenticating ${serverName}:`, error);
+      toast.error(message)
     }
   }