Skip to content

Commit 0e7edd7

Browse files
committed
Add OAuth2 client_credentials auth for MCP and GraphQL integrations
MCP and GraphQL integrations could only authenticate OAuth via the interactive authorization_code flow (which acts as the connecting user) or a static, never-refreshed bearer string. This adds service-account support: an integration can mint and refresh a client_credentials token itself, giving one shared app identity with no per-user sign-in. The token mint/refresh/storage machinery already lived in core/sdk and is grant-aware. The work was making the MCP and GraphQL auth methods endpoint-ful (carry tokenUrl + scopes + resource) so they can advertise a token endpoint, and adding defaultGrant / defaultTokenEndpointAuthMethod to the auth-method descriptor so the shared connect flow pre-fills the right grant and client-auth method. Core also gains a per-client token_endpoint_auth_method ("body" | "basic"), threaded through every token request, because some providers (e.g. Linear's client_credentials grant) require HTTP Basic at the token endpoint. Only "basic" is ever materialized; "body" (client_secret_post) stays the implicit default, so existing clients and rows are untouched. - core: nullable token_endpoint_auth_method column + SDK/API/React plumbing, threaded into the client_credentials mint, the authorization_code exchange, and the refresh/re-mint path - descriptor: defaultGrant + defaultTokenEndpointAuthMethod, consumed by the shared add-account connect flow - graphql/mcp: endpoint-ful oauth2 methods; GraphQL Add UI now allows oauth; MCP runtime unchanged (the resolved, refreshing token still flows through the MCP SDK's OAuthClientProvider) - agent surface: oauth.clients.list and oauth.clients.createHandoff round-trip the field - tests: OAuthTestServer can enforce and record the client-auth transport; client_credentials e2e for both MCP and GraphQL, plus HTTP Basic coverage on initial mint, expiry re-mint, and the authorization_code exchange
1 parent 529b908 commit 0e7edd7

43 files changed

Lines changed: 3266 additions & 49 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
ALTER TABLE "oauth_client" ADD COLUMN "token_endpoint_auth_method" text;

0 commit comments

Comments
 (0)