mcp: add bearer and OAuth2 authentication support to $mcp client by nmaguiar · Pull Request #1769 · OpenAF/openaf

nmaguiar · 2026-03-12T01:22:27Z

Enable authenticated connections for remote/http MCP servers by supporting static bearer tokens and OAuth2 flows so MCP clients can call protected endpoints.
Provide a flexible auth configuration that supports client credentials, authorization code flows, token refresh, and optional browser-based authorization.

Added aOptions.auth parsing and defaults to $mcp and extended the odoc header with usage examples for bearer and OAuth2 configurations.
Implemented internal auth state and helpers: _auth, _urlEnc, _openAuthBrowser, _getAuthorizationCode, and _getAuthHeaders to obtain and refresh access tokens (including refresh token handling and authorization_code flow support with optional browser launch and paste prompt).
Introduced _execWithAuth wrapper that injects Authorization headers into REST calls for remote/http types and delegates to the underlying JSON-RPC client, and replaced direct _jsonrpc.exec calls with _execWithAuth in initialize, notifications, listTools, callTool, listPrompts, getPrompt, listAgents, getAgent, sendToAgent, exec, and the initialized notification path.
Merged auth headers into execOptions.restOptions.requestHeaders when present and added handling of auth.tokenType, refreshWindowMs, extraParams, and other OAuth2 options.

No automated tests were added or executed as part of this change; please run the repository test suite and integration tests against an MCP server requiring authentication to validate OAuth2 and bearer flows.

Add browser-assisted OAuth2 authorization_code flow to $mcp auth

0779ad8

nmaguiar added the codex label Mar 12, 2026 — with ChatGPT Codex Connector

nmaguiar closed this Mar 12, 2026

nmaguiar deleted the codex/add-oauth2-authentication-to-mcp-client branch March 12, 2026 05:12

Provide feedback