Skip to content

client: preserve OAuth discovery metadata across browser redirects #1816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
windro-xdd wants to merge 35 commits into from

merge: resolve streamableHttp.ts conflict, keep OAuth implementation

317fec5
Select commit
Loading
Failed to load commit list.
Closed

client: preserve OAuth discovery metadata across browser redirects #1816

merge: resolve streamableHttp.ts conflict, keep OAuth implementation
317fec5
Select commit
Loading
Failed to load commit list.
Claude / Claude Code Review completed Apr 8, 2026 in 13m 18s

Code review found 2 important issues

Found 5 candidates, confirmed 3. See review comments for details.

Details

Severity Count
🔴 Important 2
🟡 Nit 0
🟣 Pre-existing 0
Severity File:Line Issue
🔴 Important packages/client/src/providers/oauthProvider.ts:19 OAuthProvider is non-functional: broken import and no-op createTransportWithRestoredState()
🔴 Important packages/client/src/client/streamableHttp.ts:205-210 StreamableHTTPClientTransport missing sessionStorage persistence for OAuth redirect flows

Annotations

Check failure on line 19 in packages/client/src/providers/oauthProvider.ts

See this annotation in the file changed.

@claude claude / Claude Code Review

OAuthProvider is non-functional: broken import and no-op createTransportWithRestoredState() 

The new OAuthProvider class in packages/client/src/providers/oauthProvider.ts has two critical bugs that make it non-functional. Line 19 imports from "../client/index.js", but no index.ts barrel exists in packages/client/src/client/ — this is a compilation error that prevents the file from building. Additionally, createTransportWithRestoredState() accepts resourceMetadataUrl and scope options but silently ignores them: it creates a bare StreamableHTTPClientTransport with empty options {} and onl

Check failure on line 210 in packages/client/src/client/streamableHttp.ts

See this annotation in the file changed.

@claude claude / Claude Code Review

StreamableHTTPClientTransport missing sessionStorage persistence for OAuth redirect flows 

StreamableHTTPClientTransport is missing the sessionStorage persistence that this PR claims to implement for it. The PR description states "persist interactive OAuth metadata (resource_metadata URL and scope) in browser sessionStorage for **both** Streamable HTTP and SSE client transports", but only SSEClientTransport received the implementation. In a real browser redirect flow, the new StreamableHTTPClientTransport instance will start with undefined _resourceMetadataUrl and _scope and must redo
View more details on Claude