Add OAuth support for desktop platforms (Windows, macOS, Linux)

[Copilot]

OAuth-protected MCP servers (Atlassian, Notion) were failing on desktop with UnsupportedError. OAuth was only implemented for web.

Implementation

Desktop OAuth handler (oauth_desktop.dart)

• System browser launch via url_launcher
• Local HTTP server (random port) for OAuth callbacks
• PKCE flow (SHA256, RFC 7636) + state validation
• IPv6 fallback for loopback binding

Platform-specific imports

// Web: popup-based flow
import '../utils/oauth_web.dart' if (dart.library.io) '../utils/oauth_io.dart';

• Web → oauth_web.dart (unchanged)
• Desktop → oauth_desktop.dart (new)
• Mobile → runtime check throws appropriate error

Provider changes

• kIsWeb → !kIsMobile (4 locations in UI, provider methods)
• Dynamic redirect URI handling: web uses fixed origin, desktop uses localhost:<random_port>
• OAuth discovery now platform-aware

OAuth flow on desktop

1. Auto-discover OAuth metadata from MCP server
2. Start local server on http://localhost:54321/callback
3. Launch browser → user authenticates
4. Receive callback → exchange code for token (PKCE)
5. Store token → close server

Security

• PKCE prevents code interception
• State parameter prevents CSRF
• Loopback-only binding (127.0.0.1/::1)
• Server closes immediately after callback
• Follows RFC 8252 (OAuth for Native Apps)

Changes

• lib/utils/oauth_desktop.dart (+494) - Desktop OAuth implementation
• lib/utils/oauth_io.dart (+3) - Conditional import export
• lib/provider/mcp_server_provider.dart - Enable desktop OAuth
• lib/utils/oauth_discovery.dart - Platform-aware redirect URIs
• lib/page/setting/mcp_server.dart - Show OAuth UI on desktop
• docs/mcp_oauth_servers.md - Update platform support docs

Backward compatible. Web OAuth unchanged. Mobile not yet supported.

Original prompt

daodao97#198

MCP Servers relying on OAuth daodao97#198
Open
Open
MCP Servers relying on OAuth
daodao97#198
@areisde
Description
areisde
opened on Aug 24, 2025
Hi there,

A few MCP servers like Atlassian or Notion require the MCP Client to authenticate one time in order to allow the connection. Is this something we will be able to do in the future with chatMCP ?

Thank you for your reply !

Activity
areisde
areisde commented on Aug 25, 2025
areisde
on Aug 25, 2025
Author
Update :

This feature is now implemented for the web version in PR daodao97#199 :

OAuth 2.0 auto-discovery and dynamic client registration for MCP servers (tested with Atlassian and Notion)
PKCE and Bearer token support for web clients
Documentation: "docs/mcp_oauth_servers.md"
Note: Currently supports web only
Thank you for considering this feature! Let me know if you have any questions or feedback.

matteo-rama
matteo-rama commented on Aug 25, 2025
matteo-rama
on Aug 25, 2025
there is any plan to add it in the desktop app?

daodao97
daodao97 commented on Aug 25, 2025
daodao97
on Aug 25, 2025
Owner
new version released v0.0.76

matteo-rama
matteo-rama commented on Sep 4, 2025
matteo-rama
on Sep 4, 2025
great thanks!

one more question, i think it doesn't support client crendential or at least i can't specify what flow of oauth use if oauth server support more.

do you think will be possible to add?

matteo-rama
matteo-rama commented on Sep 10, 2025
matteo-rama
on Sep 10, 2025
@daodao97 also another issue i am facing, aside the fact that not all oauth server support dynamic registration and rely in authenticate with clientsecret, i can say that if i enter
http://localhost:9090/sse
and check on log, i see the error with sse, but i don't see teh call at .wellknownhost nor any other subsequent call, that's strange isn't it? shouldn't it use that call to auto discover oauth server?

isidoromendez
isidoromendez commented on Nov 6, 2025
isidoromendez
on Nov 6, 2025 · edited by isidoromendez
Amazing app!!

I'm using 0.0.76 for windows, but oauth flow doesn´t start as response to the 401 from the initialize method from y mcp. My server use self-signed cert running locally. It works in claude desktop and mcp-inspector

we apreciate any help!!

Image Image
raspbeguy
raspbeguy commented 4 days ago
raspbeguy
4 days ago
Same problem for Android. I could also generate the token elsewhere and feed it to the app. Do you think this is possible?

harisonw
harisonw commented 1 hour ago
harisonw
1 hour ago
Amazing app!!

I'm using 0.0.76 for windows, but oauth flow doesn´t start as response to the 401 from the initialize method from y mcp. My server use self-signed cert running locally. It works in claude desktop and mcp-inspector

we apreciate any help!!

Image Image

Same for me I'm using 0.0.76 for Windows. Tried with Atlassian MCP.

fix this in the windows desktop app, sounds like its already been done in the web version

Expeted way of working: A supported client connects to the server endpoint:

https://mcp.atlassian.com/v1/mcp
A secure browser-based OAuth 2.1 flow is triggered.

Once authorized, the client streams contextual data and receives real-time responses from Jira, Compass, or Confluence.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.