MCP OAuth Authentication

Relevant source files

• AGENTS.md
• docs/examples/coding-focused.jsonc
• docs/examples/default.jsonc
• docs/examples/planning-focused.jsonc
• docs/guide/agent-model-matching.md
• docs/guide/installation.md
• docs/guide/orchestration.md
• docs/guide/overview.md
• docs/reference/cli.md
• docs/reference/configuration.md
• docs/reference/features.md
• packages/AGENTS.md
• packages/omo-opencode/src/agents/AGENTS.md
• packages/omo-opencode/src/agents/prometheus/AGENTS.md
• packages/omo-opencode/src/features/AGENTS.md
• packages/omo-opencode/src/features/boulder-state/AGENTS.md
• packages/omo-opencode/src/features/team-mode/AGENTS.md
• packages/omo-opencode/src/hooks/AGENTS.md
• packages/omo-opencode/src/hooks/auto-update-checker/AGENTS.md
• packages/omo-opencode/src/hooks/keyword-detector/AGENTS.md
• packages/omo-opencode/src/tools/AGENTS.md

The oh-my-openagent system provides a robust implementation for handling authenticated Model Context Protocol (MCP) servers. This implementation supports OAuth 2.0 with Proof Key for Code Exchange (PKCE) and Dynamic Client Registration (DCR), ensuring secure authorization flows for third-party MCP tools and services.

Overview and Purpose

Authenticated MCP servers require a standardized way to handle user authorization without exposing long-lived credentials. The system implements a flow that allows users to authenticate against MCP servers, manage tokens locally, and perform "step-up" authentication when higher privilege levels are required by a specific tool or resource.

Key Components

• SkillMcpManager: Orchestrates connections and manages the lifecycle of MCP clients, including OAuth-enabled ones packages/omo-opencode/src/features/skill-mcp-manager/manager.ts15-33
• McpOAuthProvider: Implements the PKCE flow, token refreshing, and storage logic packages/omo-opencode/src/features/mcp-oauth/provider.ts12-24
• PKCE Flow: Secure authorization without a client secret, using a code verifier and challenge to mitigate interception attacks packages/omo-opencode/src/features/mcp-oauth/provider.test.ts26-63
• DCR: Automatic registration of the client with the MCP server using discovery metadata packages/omo-opencode/src/features/mcp-oauth/dcr.ts1-10
• OAuthHandler: Intercepts MCP errors (like 401 Unauthorized) to trigger refresh or step-up flows packages/omo-opencode/src/features/skill-mcp-manager/oauth-handler.ts6-13

Sources: packages/omo-opencode/src/features/skill-mcp-manager/manager.ts15-33 packages/omo-opencode/src/features/mcp-oauth/provider.ts12-24 packages/omo-opencode/src/features/mcp-oauth/provider.test.ts26-63 packages/omo-opencode/src/features/mcp-oauth/dcr.ts1-10 packages/omo-opencode/src/features/skill-mcp-manager/oauth-handler.ts6-13

Authentication Data Flow

The following diagram illustrates the interaction between the SkillMcpManager, the McpOAuthProvider, and the remote MCP server during an authenticated request.

OAuth Request and Error Handling (Code Entity Space)

Sources: packages/omo-opencode/src/features/skill-mcp-manager/manager.ts106-158 packages/omo-opencode/src/features/skill-mcp-manager/oauth-handler.ts6-13 packages/omo-opencode/src/features/skill-mcp-manager/connection.ts3-6 packages/omo-opencode/src/features/skill-mcp-manager/cleanup.ts4-10

Implementation Details

PKCE and Dynamic Client Registration

To support various MCP server implementations without hardcoding secrets, the system utilizes Dynamic Client Registration (DCR). Upon the first login attempt to a new server, the agent registers itself to obtain a client_id packages/omo-opencode/src/features/mcp-oauth/dcr.ts1-10

The PKCE (Proof Key for Code Exchange) extension is used to mitigate authorization code injection attacks. This is critical as the CLI operates in a public client environment where client secrets cannot be securely stored. The system generates a code_verifier and a corresponding code_challenge using SHA256 packages/omo-opencode/src/features/mcp-oauth/provider.test.ts51-63

Connection Management

The SkillMcpManager maintains a state of active connections and prevents race conditions during setup using a pendingConnections map packages/omo-opencode/src/features/skill-mcp-manager/connection.ts37-40 It distinguishes between local stdio and remote http (SSE) connections packages/omo-opencode/src/features/skill-mcp-manager/connection.ts154-157

The manager also handles session-specific disconnection races, ensuring that if a session is disconnected while a connection is in flight, the resulting client is disposed of correctly packages/omo-opencode/src/features/skill-mcp-manager/connection-race.test.ts142-162

Token Management and Storage

Tokens are persisted locally to avoid frequent re-authentication. The McpOAuthProvider interacts with a storage layer to save OAuthTokenData which includes the access token, refresh token, and expiration timestamp packages/omo-opencode/src/features/mcp-oauth/provider.test.ts192-210

• Token Refresh: The system automatically attempts to use the refresh_token if a request fails with an authentication error packages/omo-opencode/src/features/skill-mcp-manager/manager.ts134-143
• Security: Sensitive data like Authorization headers and API keys are redacted in logs and error messages to prevent leakage packages/omo-opencode/src/features/skill-mcp-manager/http-client.ts63-77

Sources: packages/omo-opencode/src/features/skill-mcp-manager/connection.ts37-40 packages/omo-opencode/src/features/skill-mcp-manager/connection-race.test.ts142-162 packages/omo-opencode/src/features/skill-mcp-manager/manager.ts134-143 packages/omo-opencode/src/features/mcp-oauth/provider.test.ts192-210 packages/omo-opencode/src/features/skill-mcp-manager/http-client.ts63-77

Step-up Authentication and Retries

Certain MCP tools may require "Step-up Authentication" if a specific action requires a higher scope than what was initially granted.

1. The MCP server returns an error indicating insufficient scope or a specific "step-up" requirement packages/omo-opencode/src/features/skill-mcp-manager/manager.ts123-132
2. withOperationRetry catches the error and calls handleStepUpIfNeeded packages/omo-opencode/src/features/skill-mcp-manager/manager.ts123-128
3. The McpOAuthProvider initiates a new login flow with the expanded scopes.
4. Upon success, the manager forces a reconnection to the server via forceReconnect to apply the new credentials packages/omo-opencode/src/features/skill-mcp-manager/cleanup.ts3-10

Connection State Class Diagram (Code Entity Space)

Sources: packages/omo-opencode/src/features/skill-mcp-manager/manager.ts15-33 packages/omo-opencode/src/features/skill-mcp-manager/types.ts77-90 packages/omo-opencode/src/features/mcp-oauth/provider.test.ts67-70

CLI Commands for MCP OAuth

The system provides CLI utilities for managing these authenticated sessions docs/reference/cli.md41:

Command	Action	Implementation Detail
mcp oauth login	Initiates PKCE flow	Triggers McpOAuthProvider.login() via factory packages/omo-opencode/src/features/skill-mcp-manager/manager.ts31
mcp oauth logout	Clears local tokens for a server	Disconnects sessions via SkillMcpManager.disconnectSession packages/omo-opencode/src/features/skill-mcp-manager/manager.ts49-51
mcp oauth status	Checks connectivity and token validity	Validates via isConnected and getConnectedServers packages/omo-opencode/src/features/skill-mcp-manager/manager.ts171-177

Sources: packages/omo-opencode/src/features/skill-mcp-manager/manager.ts49-55 packages/omo-opencode/src/features/skill-mcp-manager/manager.ts171-177 packages/omo-opencode/src/features/skill-mcp-manager/manager.ts31 docs/reference/cli.md41