Implement OAuth 2.0 desktop support for MCP servers

[Copilot]

Windows desktop app previously threw UnsupportedError for OAuth-protected MCP servers (Atlassian, Notion). Only web platform had OAuth support.

Changes

New Desktop OAuth Handler (lib/utils/oauth_desktop.dart)

• External browser flow: Opens system browser via url_launcher for authorization
• Local callback server: Binds to localhost:0 (random port) using shelf to receive OAuth callback
• PKCE security: SHA256 code challenge, 128-char verifier, state validation
• Resource management: Auto-cleanup after success/error/timeout (10min), concurrent flow prevention

// Desktop flow returns actual redirect_uri used
final authResult = await WebOAuthHandler.startOAuthFlow(
  authorizationUrl: config.authorizationUrl,
  clientId: config.clientId,
  redirectUri: 'http://localhost:0',  // Placeholder - actual port determined at runtime
  scope: scope,
);

// Use returned redirect_uri for token exchange
await WebOAuthHandler.exchangeCodeForToken(
  tokenUrl: config.tokenUrl,
  code: authResult['code'],
  codeVerifier: authResult['code_verifier'],
  redirectUri: authResult['redirect_uri'],  // Actual localhost:{port}
);

Platform Unification

• Conditional import: oauth_web.dart for web, oauth_desktop.dart for desktop (was oauth_stub.dart)
• Discovery: Platform-aware redirect URI generation (localhost for desktop, origin/oauth_callback.html for web)
• Provider: Removed kIsWeb guards from OAuth methods

Web Consistency

• Updated oauth_web.dart to return redirect_uri in flow result for consistent interface

Security

• RFC 7636 (PKCE), RFC 6749 (OAuth 2.0), RFC 8414 (discovery), RFC 7591 (dynamic registration)
• Localhost-only binding, no external network access
• State validation prevents CSRF
• Token expiry handling with auto-refresh

Limitations

• Mobile not supported (future work)
• Single concurrent flow (by design)
• Tokens in plaintext config file (standard for user-scoped desktop apps)

Testing

Requires manual verification with live OAuth servers:

• Atlassian MCP: https://mcp.atlassian.com/v1/mcp
• Notion MCP: https://mcp.notion.com/mcp

Original prompt

daodao97#198

MCP Servers relying on OAuth daodao97#198
Open
Open
MCP Servers relying on OAuth
daodao97#198
@areisde
Description
areisde
opened on Aug 24, 2025
Hi there,

A few MCP servers like Atlassian or Notion require the MCP Client to authenticate one time in order to allow the connection. Is this something we will be able to do in the future with chatMCP ?

Thank you for your reply !

Activity
areisde
areisde commented on Aug 25, 2025
areisde
on Aug 25, 2025
Author
Update :

This feature is now implemented for the web version in PR daodao97#199 :

OAuth 2.0 auto-discovery and dynamic client registration for MCP servers (tested with Atlassian and Notion)
PKCE and Bearer token support for web clients
Documentation: "docs/mcp_oauth_servers.md"
Note: Currently supports web only
Thank you for considering this feature! Let me know if you have any questions or feedback.

matteo-rama
matteo-rama commented on Aug 25, 2025
matteo-rama
on Aug 25, 2025
there is any plan to add it in the desktop app?

daodao97
daodao97 commented on Aug 25, 2025
daodao97
on Aug 25, 2025
Owner
new version released v0.0.76

matteo-rama
matteo-rama commented on Sep 4, 2025
matteo-rama
on Sep 4, 2025
great thanks!

one more question, i think it doesn't support client crendential or at least i can't specify what flow of oauth use if oauth server support more.

do you think will be possible to add?

matteo-rama
matteo-rama commented on Sep 10, 2025
matteo-rama
on Sep 10, 2025
@daodao97 also another issue i am facing, aside the fact that not all oauth server support dynamic registration and rely in authenticate with clientsecret, i can say that if i enter
http://localhost:9090/sse
and check on log, i see the error with sse, but i don't see teh call at .wellknownhost nor any other subsequent call, that's strange isn't it? shouldn't it use that call to auto discover oauth server?

isidoromendez
isidoromendez commented on Nov 6, 2025
isidoromendez
on Nov 6, 2025 · edited by isidoromendez
Amazing app!!

I'm using 0.0.76 for windows, but oauth flow doesn´t start as response to the 401 from the initialize method from y mcp. My server use self-signed cert running locally. It works in claude desktop and mcp-inspector

we apreciate any help!!

Image Image
raspbeguy
raspbeguy commented 4 days ago
raspbeguy
4 days ago
Same problem for Android. I could also generate the token elsewhere and feed it to the app. Do you think this is possible?

harisonw
harisonw commented 1 hour ago
harisonw
1 hour ago
Amazing app!!

I'm using 0.0.76 for windows, but oauth flow doesn´t start as response to the 401 from the initialize method from y mcp. My server use self-signed cert running locally. It works in claude desktop and mcp-inspector

we apreciate any help!!

Image Image

Same for me I'm using 0.0.76 for Windows. Tried with Atlassian MCP.

fix this in the windows desktop app, sounds like its already been done in the web version

Expeted way of working: A supported client connects to the server endpoint:

https://mcp.atlassian.com/v1/mcp
A secure browser-based OAuth 2.1 flow is triggered.

Once authorized, the client streams contextual data and receives real-time responses from Jira, Compass, or Confluence.

Created from VS Code.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.