Version / branch / commit
main at commit 3c81fea
OS and environment
macOS 26.5.2 / darwin arm64 / Go 1.26.4
Summary
Configured OAuth endpoints are rejected when they use a non-HTTPS, non-loopback URL, but endpoints learned from OAuth/OIDC discovery are merged without the same validation. That lets discovery metadata downgrade the authorization, token/device, or MCP registration endpoint safety after the initial provider config has already passed validation.
This affects both the provider OAuth flow and the MCP OAuth flow because MCP delegates discovery to internal/oauth and then uses the returned metadata.
Steps to reproduce
- Configure an OAuth provider or MCP OAuth server using an issuer/discovery URL.
- Serve discovery metadata from that issuer with an insecure discovered endpoint, for example:
{
"issuer": "http://127.0.0.1:12345",
"authorization_endpoint": "http://evil.example/authorize",
"token_endpoint": "http://127.0.0.1:12345/token"
}
- Start the loopback login flow.
- The login flow builds and opens an authorization URL beginning with
http://evil.example/authorize?.
I verified this locally with temporary tests against both internal/oauth.Manager.Login and the MCP OAuth resolver/authorization URL path. The fake browser opener received a URL starting with http://evil.example/authorize?.
Expected behavior
Discovered OAuth endpoints should be validated before being merged or used. A non-HTTPS, non-loopback authorization_endpoint, token_endpoint, device_authorization_endpoint, or MCP registration_endpoint should be rejected with the same endpoint-safety rule used for configured endpoints.
Actual behavior
Configured endpoints pass through validateTokenEndpoint, but discovery metadata is merged without revalidation:
internal/oauth/providers.go validates configured endpoints.
internal/oauth/manager.go merges discovered provider endpoints into the config.
internal/mcp/oauth.go merges discovered MCP OAuth metadata.
internal/oauth/flow.go only parses the authorization endpoint before building the browser URL.
As a result, discovery metadata can silently downgrade the login flow to an insecure authorization URL.
Notes
I did not find an existing issue or open PR covering this exact validation gap.
Version / branch / commit
main at commit
3c81feaOS and environment
macOS 26.5.2 / darwin arm64 / Go 1.26.4
Summary
Configured OAuth endpoints are rejected when they use a non-HTTPS, non-loopback URL, but endpoints learned from OAuth/OIDC discovery are merged without the same validation. That lets discovery metadata downgrade the authorization, token/device, or MCP registration endpoint safety after the initial provider config has already passed validation.
This affects both the provider OAuth flow and the MCP OAuth flow because MCP delegates discovery to
internal/oauthand then uses the returned metadata.Steps to reproduce
{ "issuer": "http://127.0.0.1:12345", "authorization_endpoint": "http://evil.example/authorize", "token_endpoint": "http://127.0.0.1:12345/token" }http://evil.example/authorize?.I verified this locally with temporary tests against both
internal/oauth.Manager.Loginand the MCP OAuth resolver/authorization URL path. The fake browser opener received a URL starting withhttp://evil.example/authorize?.Expected behavior
Discovered OAuth endpoints should be validated before being merged or used. A non-HTTPS, non-loopback
authorization_endpoint,token_endpoint,device_authorization_endpoint, or MCPregistration_endpointshould be rejected with the same endpoint-safety rule used for configured endpoints.Actual behavior
Configured endpoints pass through
validateTokenEndpoint, but discovery metadata is merged without revalidation:internal/oauth/providers.govalidates configured endpoints.internal/oauth/manager.gomerges discovered provider endpoints into the config.internal/mcp/oauth.gomerges discovered MCP OAuth metadata.internal/oauth/flow.goonly parses the authorization endpoint before building the browser URL.As a result, discovery metadata can silently downgrade the login flow to an insecure authorization URL.
Notes
I did not find an existing issue or open PR covering this exact validation gap.