WIP

Author: sambhav

client/src/App.tsx

@@ -523,7 +523,7 @@ const App = () => {
         });
       }
     },
-    [sseUrl, oauthMode, config],
+    [sseUrl, oauthMode, config, connectMcpServer],
   );
 
   useEffect(() => {

client/src/components/OAuthCallback.tsx

@@ -7,6 +7,14 @@ import {
   generateOAuthErrorDescription,
   parseOAuthCallbackParams,
 } from "@/utils/oauthUtils.ts";
+import { createOAuthProviderForServer } from "../lib/oauth/provider-factory";
+import { OAuthStateMachine } from "../lib/oauth-state-machine";
+import { AuthDebuggerState } from "../lib/auth-types";
+import {
+  getMCPProxyAddress,
+  getMCPProxyAuthToken,
+  initializeInspectorConfig,
+} from "@/utils/configUtils";
 
 interface OAuthCallbackProps {
   onConnect: (serverUrl: string) => void;
@@ -41,24 +49,97 @@ const OAuthCallback = ({ onConnect }: OAuthCallbackProps) => {
         return notifyError("Missing Server URL");
       }
 
-      let result;
-      try {
-        // Create an auth provider with the current server URL
-        const serverAuthProvider = new InspectorOAuthClientProvider(serverUrl);
+      // Check if there's stored auth state (for proxy mode from Connect button)
+      const storedAuthState = sessionStorage.getItem(
+        SESSION_KEYS.AUTH_STATE_FOR_CONNECT,
+      );
 
-        result = await auth(serverAuthProvider, {
-          serverUrl,
-          authorizationCode: params.code,
-        });
-      } catch (error) {
-        console.error("OAuth callback error:", error);
-        return notifyError(`Unexpected error occurred: ${error}`);
-      }
+      if (storedAuthState) {
+        // Proxy mode: Complete the OAuth flow using the state machine
+        try {
+          let restoredState: AuthDebuggerState = JSON.parse(storedAuthState);
+
+          // Restore URL objects
+          if (
+            restoredState.resource &&
+            typeof restoredState.resource === "string"
+          ) {
+            restoredState.resource = new URL(restoredState.resource);
+          }
+          if (
+            restoredState.authorizationUrl &&
+            typeof restoredState.authorizationUrl === "string"
+          ) {
+            restoredState.authorizationUrl = new URL(
+              restoredState.authorizationUrl,
+            );
+          }
+
+          // Set up state with the authorization code
+          let currentState: AuthDebuggerState = {
+            ...restoredState,
+            authorizationCode: params.code,
+            oauthStep: "token_request",
+          };
+
+          // Get config and create provider
+          // Use the same config key and initialization as App.tsx
+          const config = initializeInspectorConfig("inspectorConfig_v1");
+
+          const proxyAddress = getMCPProxyAddress(config);
+          const proxyAuthObj = getMCPProxyAuthToken(config);
+
+          const oauthProvider = createOAuthProviderForServer(
+            serverUrl,
+            proxyAddress,
+            proxyAuthObj.token,
+          );
+
+          const stateMachine = new OAuthStateMachine(
+            serverUrl,
+            (updates) => {
+              currentState = { ...currentState, ...updates };
+            },
+            oauthProvider,
+            false, // use regular redirect URL
+          );
+
+          // Complete the token exchange
+          await stateMachine.executeStep(currentState);
+
+          if (currentState.oauthStep !== "complete") {
+            return notifyError("Failed to complete OAuth token exchange");
+          }
+
+          // Clean up stored state
+          sessionStorage.removeItem(SESSION_KEYS.AUTH_STATE_FOR_CONNECT);
+        } catch (error) {
+          console.error("Proxy OAuth callback error:", error);
+          sessionStorage.removeItem(SESSION_KEYS.AUTH_STATE_FOR_CONNECT);
+          return notifyError(`Failed to complete proxy OAuth: ${error}`);
+        }
+      } else {
+        // Direct mode: Use SDK's auth() function
+        let result;
+        try {
+          const serverAuthProvider = new InspectorOAuthClientProvider(
+            serverUrl,
+          );
+
+          result = await auth(serverAuthProvider, {
+            serverUrl,
+            authorizationCode: params.code,
+          });
+        } catch (error) {
+          console.error("OAuth callback error:", error);
+          return notifyError(`Unexpected error occurred: ${error}`);
+        }
 
-      if (result !== "AUTHORIZED") {
-        return notifyError(
-          `Expected to be authorized after providing auth code, got: ${result}`,
-        );
+        if (result !== "AUTHORIZED") {
+          return notifyError(
+            `Expected to be authorized after providing auth code, got: ${result}`,
+          );
+        }
       }
 
       // Finally, trigger auto-connect

client/src/lib/auth.ts

@@ -254,10 +254,17 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
 // Overrides redirect URL to use the debug endpoint and allows saving server OAuth metadata to
 // display in debug UI.
 export class DebugInspectorOAuthClientProvider extends InspectorOAuthClientProvider {
+  constructor(
+    serverUrl: string,
+    private useDebugRedirect: boolean = true,
+  ) {
+    super(serverUrl);
+  }
+
   get redirectUrl(): string {
-    // We can use the debug redirect URL here because it was already registered
-    // in the parent class's clientMetadata along with the normal redirect URL
-    return this.debugRedirectUrl;
+    // Use debug redirect URL by default, or regular redirect URL when configured
+    // (e.g., when Connect button is clicked in proxy mode)
+    return this.useDebugRedirect ? this.debugRedirectUrl : super.redirectUrl;
   }
 
   saveServerMetadata(metadata: OAuthMetadata) {

client/src/lib/constants.ts

@@ -17,6 +17,7 @@ export const SESSION_KEYS = {
   PREREGISTERED_CLIENT_INFORMATION: "mcp_preregistered_client_information",
   SERVER_METADATA: "mcp_server_metadata",
   AUTH_DEBUGGER_STATE: "mcp_auth_debugger_state",
+  AUTH_STATE_FOR_CONNECT: "mcp_auth_state_for_connect",
   SCOPE: "mcp_scope",
   OAUTH_MODE: "mcp_oauth_mode",
 } as const;

client/src/lib/hooks/useConnection.ts

@@ -35,7 +35,7 @@ import { RequestOptions } from "@modelcontextprotocol/sdk/shared/protocol.js";
 import { useEffect, useState } from "react";
 import { useToast } from "@/lib/hooks/useToast";
 import { z } from "zod";
-import { ConnectionStatus, CLIENT_IDENTITY } from "../constants";
+import { ConnectionStatus, CLIENT_IDENTITY, SESSION_KEYS } from "../constants";
 import { Notification } from "../notificationTypes";
 import {
   auth,
@@ -47,16 +47,22 @@ import {
   saveClientInformationToSessionStorage,
   saveScopeToSessionStorage,
   clearScopeFromSessionStorage,
-  discoverScopes,
 } from "../auth";
 import {
   getMCPProxyAddress,
   getMCPServerRequestMaxTotalTimeout,
   resetRequestTimeoutOnProgress,
   getMCPProxyAuthToken,
+  getMCPServerRequestTimeout,
 } from "@/utils/configUtils";
-import { getMCPServerRequestTimeout } from "@/utils/configUtils";
 import { InspectorConfig } from "../configurationTypes";
+import {
+  createOAuthProviderForServer,
+  setOAuthMode,
+} from "../oauth/provider-factory";
+import { OAuthStateMachine } from "../oauth-state-machine";
+import { AuthDebuggerState } from "../auth-types";
+import { validateRedirectUrl } from "@/utils/urlValidation";
 import { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
 import { CustomHeaders } from "../types/customHeaders";
 
@@ -153,6 +159,13 @@ export function useConnection({
     saveScopeToSessionStorage(sseUrl, oauthScope);
   }, [oauthScope, sseUrl]);
 
+  // Sync OAuth mode with connection type
+  useEffect(() => {
+    // When connection type is set to proxy, ensure OAuth mode is also proxy
+    // When connection type is direct, OAuth mode should be direct
+    setOAuthMode(connectionType, sseUrl);
+  }, [connectionType, sseUrl]);
+
   const pushHistory = (request: object, response?: object) => {
     setRequestHistory((prev) => [
       ...prev,
@@ -344,28 +357,131 @@ export function useConnection({
 
   const handleAuthError = async (error: unknown) => {
     if (is401Error(error)) {
-      let scope = oauthScope?.trim();
-      if (!scope) {
-        // Only discover resource metadata when we need to discover scopes
-        let resourceMetadata;
-        try {
-          resourceMetadata = await discoverOAuthProtectedResourceMetadata(
-            new URL("/", sseUrl),
+      const scope = oauthScope?.trim();
+
+      // Use connectionType directly instead of reading from session storage
+      const oauthMode = connectionType;
+
+      if (scope) {
+        saveScopeToSessionStorage(sseUrl, scope);
+      }
+
+      if (oauthMode === "proxy") {
+        // Use proxy mode with state machine approach (to avoid CORS)
+        // Ensure OAuth mode is set in session storage for callback to use
+        setOAuthMode("proxy", sseUrl);
+
+        const proxyAddress = getMCPProxyAddress(config);
+        const proxyAuthObj = getMCPProxyAuthToken(config);
+        const oauthProvider = createOAuthProviderForServer(
+          sseUrl,
+          proxyAddress,
+          proxyAuthObj.token,
+        );
+
+        // Use state machine to step through OAuth flow
+        let currentState: AuthDebuggerState = {
+          oauthStep: "metadata_discovery",
+          authorizationUrl: null,
+          authorizationCode: "",
+          oauthMetadata: null,
+          oauthClientInfo: null,
+          oauthTokens: null,
+          resourceMetadata: null,
+          resourceMetadataError: null,
+          authServerUrl: null,
+          resource: null,
+          validationError: null,
+          latestError: null,
+          statusMessage: null,
+          isInitiatingAuth: false,
+        };
+
+        // Use regular redirect URL (not debug) for Connect button
+        // This will redirect to /oauth/callback which auto-connects
+        const oauthMachine = new OAuthStateMachine(
+          sseUrl,
+          (updates) => {
+            currentState = { ...currentState, ...updates };
+          },
+          oauthProvider,
+          false, // useDebugRedirect = false
+        );
+
+        // Step through OAuth flow until we need to redirect
+        while (currentState.oauthStep !== "complete") {
+          await oauthMachine.executeStep(currentState);
+
+          // When we reach authorization step, validate and redirect
+          if (
+            currentState.oauthStep === "authorization_code" &&
+            currentState.authorizationUrl
+          ) {
+            try {
+              validateRedirectUrl(currentState.authorizationUrl);
+            } catch (redirectError) {
+              console.error("Invalid authorization URL:", redirectError);
+              return false;
+            }
+
+            // Store the current auth state before redirecting
+            // This allows /oauth/callback to complete the token exchange via proxy
+            sessionStorage.setItem(
+              SESSION_KEYS.AUTH_STATE_FOR_CONNECT,
+              JSON.stringify(currentState),
+            );
+
+            // Redirect to authorization URL
+            // Will redirect to /oauth/callback which calls onOAuthConnect
+            // and auto-connects after OAuth completion
+            window.location.href = currentState.authorizationUrl.toString();
+            return false; // We're redirecting, so connection will be retried after OAuth
+          }
+        }
+
+        // If we completed the full flow (shouldn't happen on first connect)
+        return currentState.oauthStep === "complete";
+      } else {
+        // Direct mode: Use SDK's auth() function
+        let discoveredScope = scope;
+
+        // Discover scopes if not provided
+        if (!discoveredScope) {
+          const proxyAddress = getMCPProxyAddress(config);
+          const proxyAuthObj = getMCPProxyAuthToken(config);
+          const oauthProvider = createOAuthProviderForServer(
+            sseUrl,
+            proxyAddress,
+            proxyAuthObj.token,
+          );
+
+          // For direct mode, try to get resource metadata
+          let resourceMetadata;
+          try {
+            resourceMetadata = await discoverOAuthProtectedResourceMetadata(
+              new URL("/", sseUrl),
+            );
+          } catch {
+            // Resource metadata is optional, continue without it
+          }
+
+          discoveredScope = await oauthProvider.discoverScopes(
+            sseUrl,
+            resourceMetadata,
           );
-        } catch {
-          // Resource metadata is optional, continue without it
+          if (discoveredScope) {
+            saveScopeToSessionStorage(sseUrl, discoveredScope);
+          }
         }
-        scope = await discoverScopes(sseUrl, resourceMetadata);
-      }
 
-      saveScopeToSessionStorage(sseUrl, scope);
-      const serverAuthProvider = new InspectorOAuthClientProvider(sseUrl);
+        const serverAuthProvider = new InspectorOAuthClientProvider(sseUrl);
 
-      const result = await auth(serverAuthProvider, {
-        serverUrl: sseUrl,
-        scope,
-      });
-      return result === "AUTHORIZED";
+        const result = await auth(serverAuthProvider, {
+          serverUrl: sseUrl,
+          scope: discoveredScope,
+        });
+        return result === "AUTHORIZED";
+      }
     }
 
     return false;

client/src/lib/hooks/useProxyConfig.ts

@@ -0,0 +1,22 @@
+/**
+ * Hook to get proxy configuration from config
+ */
+import { useMemo } from "react";
+import { InspectorConfig } from "../configurationTypes";
+import { getMCPProxyAddress, getMCPProxyAuthToken } from "@/utils/configUtils";
+
+// This hook can be used if we need to get config from context
+// For now, it's simpler to just pass the config values directly
+export function useProxyConfig(config?: InspectorConfig) {
+  const proxyFullAddress = useMemo(
+    () => (config ? getMCPProxyAddress(config) : ""),
+    [config],
+  );
+
+  const proxyAuthToken = useMemo(
+    () => (config ? getMCPProxyAuthToken(config) : ""),
+    [config],
+  );
+
+  return { proxyFullAddress, proxyAuthToken };
+}