Skip to content

Fix MCP OAuth client_secret_basic authentication support #257283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix MCP OAuth client_secret_basic authentication support #257283

wants to merge 2 commits into from
+69 −17

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jul 22, 2025
edited
Loading

Problem

VS Code's MCP OAuth implementation was hardcoding token_endpoint_auth_method: 'none' during dynamic client registration, regardless of what authentication methods the authorization server actually supported. This caused token endpoint requests to fail for servers that required client authentication.

Specifically:

  • The fetchDynamicRegistration function always requested 'none' authentication
  • When servers returned a client_secret in the registration response, it wasn't being used properly for token requests
  • Servers supporting only client_secret_basic (like the MCP server in the issue) would reject token requests due to missing authentication

Solution

1. Smart Authentication Method Selection

Updated fetchDynamicRegistration() to inspect the server's token_endpoint_auth_methods_supported and choose the most appropriate method:

  • Prefer client_secret_basic if supported
  • Fall back to client_secret_post if supported
  • Default to none if neither is supported

2. Proper Client Authentication in Token Requests

Updated exchangeCodeForToken() and exchangeRefreshTokenForToken() to handle different authentication methods correctly:

client_secret_basic: Use HTTP Basic authentication

Authorization: Basic <base64(client_id:client_secret)>

client_secret_post: Include credentials in request body (existing behavior)

client_id=...&client_secret=...

none: Include only client_id in request body (existing behavior)

client_id=...

3. State Management

Added _tokenEndpointAuthMethod field to DynamicAuthProvider to track the negotiated authentication method from registration through to token requests.

Example

Before this fix, a server with this metadata would fail:

{
  "token_endpoint_auth_methods_supported": ["client_secret_basic"],
  "registration_endpoint": "http://localhost:3000/oauth/register"
}

VS Code would request token_endpoint_auth_method: 'none' during registration, receive a client_secret, but then send token requests without proper authentication, causing them to be rejected.

After this fix, VS Code will:

  1. Request token_endpoint_auth_method: 'client_secret_basic' during registration
  2. Store the returned client_secret and auth method
  3. Send token requests with proper HTTP Basic authentication

Compatibility

  • Fully backward compatible with existing OAuth servers
  • Gracefully handles servers that don't specify supported auth methods
  • Falls back to previous behavior when dynamic registration fails

Fixes #257277.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • electronjs.org
    • Triggering command: node-gyp (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot Copilot AI changed the title [WIP] MCP oauth: client_secret omitted from token endpoint request Fix MCP OAuth client_secret_basic authentication support Jul 22, 2025
@Copilot Copilot AI requested a review from TylerLeonhardt July 22, 2025 15:19
Copilot finished work on behalf of TylerLeonhardt July 22, 2025 15:19
latekvo
latekvo reviewed Jul 22, 2025
View reviewed changes
src/vs/base/common/oauth.ts
Comment on lines +729 to +730
if (serverMetadata.token_endpoint_auth_methods_supported.includes('client_secret_basic')) {
tokenEndpointAuthMethod = 'client_secret_basic';
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

client_secret_basic along with client_secret_post are used as hardcoded strings a total of over 10 times within this PR.
It'd be preferred to use enums or constants instead of hardcoding said strings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@latekvo latekvo latekvo left review comments

@TylerLeonhardt TylerLeonhardt Awaiting requested review from TylerLeonhardt

At least 1 approving review is required to merge this pull request.

Assignees

@TylerLeonhardt TylerLeonhardt

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MCP oauth: client_secret omitted from token endpoint request
3 participants
@Copilot @latekvo @TylerLeonhardt