feat: OAuth MCP support via Agents SDK (Phase 1)#40
Closed
jonnyparris wants to merge 6 commits intomainfrom
Closed
feat: OAuth MCP support via Agents SDK (Phase 1)#40jonnyparris wants to merge 6 commits intomainfrom
jonnyparris wants to merge 6 commits intomainfrom
Conversation
added 6 commits
April 23, 2026 21:33
… tests incomplete)
…es, callTool signature, mcpGatekeepers option typing
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
dodo | 76a060a | Apr 23 2026, 09:00 PM |
This was referenced Apr 23, 2026
Owner
Author
|
Superseded by #43 — the full 4-phase consolidated PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds OAuth 2.1 support for MCP servers via the Cloudflare Agents SDK, alongside the existing static-header
HttpMcpGatekeeper. Users can now connect to public OAuth MCP servers (*.mcp.cloudflare.com, GitHub, etc.) without pasting tokens — the SDK handles PKCE, dynamic client registration, and refresh transparently.Why
Today Dodo forces users to generate static bearer tokens and paste them into the UI to use any MCP server. The tokens then live as envelope-encrypted secrets in UserControl. This is friction, and breaks for OAuth-only servers.
The Agents SDK already ships an MCP OAuth manager (
this.mcp.addMcpServer,this.mcp.configureOAuthCallback,this.mcp.callTool).CodingAgenttransitively extendsAgentviaThinkfrom@cloudflare/think, so these methods are already available — Dodo just wasn't using them.Reference implementation:
chat.cloudflare.dev(cloudflare/eti/flares/chat-flare). All 8*.mcp.cloudflare.comservers (tested live) are OAuth providers with DCR + PKCE + refresh tokens — no Access-layer hacks needed.What changed
New OAuth code path (parallel to static-headers)
McpCatalogEntry,McpGatekeeperConfig,mcp_configsD1 table — addedauth_type: "oauth" | "static_headers"field with schema migration for existing rows.CodingAgent.onStart— callsthis.mcp.configureOAuthCallback({ successRedirect, errorRedirect }).CodingAgent.connectMcpServers— skipsauth_type === "oauth"entries (the SDK manages them), leaves static-headers flow untouched.CodingAgent.refreshMcpState— new RPC method for re-authenticating an MCP.Routes in
src/index.ts(behind auth middleware)POST /api/mcp/start-auth— begins OAuth flow, returnsauthUrlfor the browser to visit.POST /api/mcp/delete-auth— removes an OAuth connection.POST /api/mcp/refresh-state— re-adds an MCP (useful after expired refresh tokens).ALL /agents/*— OAuth callback receiver; forwards into the user'sCodingAgentDO.Tool merging in
src/agentic.tsbuildToolsForThinknow merges static-gatekeeper tools with SDK-managed MCP tools. NewbuildSdkMcpToolshelper slugifies display names for tool prefixes and dedupes by final prefixed name (64-char cap per AI SDK).Catalog
Expanded
MCP_CATALOGfrom 4 entries to 11 — splitcloudflare-apiinto 8 per-service entries (cloudflare-docs,cloudflare-bindings, etc.), all flaggedauth_type: "oauth".browser-renderingandgithubalso marked oauth.dodo-selfstays static for now.Config
WORKER_URLadded toEnv(src/types.ts) andwrangler.jsoncvars (http://localhost:8787for dev).Tests
test/dodo.test.ts— two new tests that/api/mcp/start-authand/agents/*are not publicly accessible.test/mcp-config.test.ts— catalog size assertion updated from=== 4to>= 4(robust to future growth).auth_typefield.What's NOT in this PR
Deliberately out of scope — will follow in later PRs:
MCP_CATALOGfrom static array to D1approved_mcpstable with admin CRUD.DODO_MCP_TOKENwith per-user tokens.Verification
npm run typecheck— cleannpm test— all 384 tests pass, 2 skipped, 0 failed (up from 378 before main added autocompact test coverage)browser-renderingMCP (currently static-headers) still works — OAuth is additive, not replacement.Credit where due
This PR is the output of 5 Dodo self-dispatches over ~2 hours. The first attempt hit the autocompaction bugs filed in #34, which @jonnyparris fixed in parallel — thank you. Subsequent dispatches after the fix landed (as evidenced by commits
1e0926dthroughbe0fb78on main) completed without context issues.Branch
feat/mcp-oauth-phase1-finalis a clean rebase of the work onto post-fix main. No conflicts.Reference doc
Full architecture + implementation notes + the chat-flare reference:
~/agent-hq/scratch/chat-flare-mcp-auth-insights.md(internal).