[codex] Harden draft OAuth client auth#27
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7f19e5e32e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (!this.authorizationIssuerState) { | ||
| throw new Error("No authorization response issuer") | ||
| } |
There was a problem hiding this comment.
Allow redirects without an iss value
When an authorization server does not advertise authorization_response_iss_parameter_supported, auth() accepts an undefined issuer, but this provider now throws as soon as the redirect lacks iss. In those environments the normal authorization-code retry in handle401 fails before token exchange even though missing iss is allowed; store/pass undefined instead of making the getter mandatory.
Useful? React with 👍 / 👎.
Greptile SummaryThis PR hardens draft OAuth client authentication and updates the related verification evidence. The main changes are:
Confidence Score: 4/5The OAuth hardening is mostly well scoped, but the example HTTP auth retry path can reject valid authorization-code redirects before token exchange. The reviewed change set is narrow and the remaining issue is localized to the example client retry helper, with a focused runtime check confirming the failure mode. src/examples/everything-client.ts
What T-Rex did
|
| getAuthorizationResponseIssuer(): string { | ||
| if (!this.authorizationIssuerState) { | ||
| throw new Error("No authorization response issuer") | ||
| } | ||
| return this.authorizationIssuerState | ||
| } |
There was a problem hiding this comment.
Allow missing issuer
handle401 always calls getAuthorizationResponseIssuer() before passing the value into auth, but auth.validateAuthorizationResponseIssuer accepts undefined when the authorization server does not advertise authorization_response_iss_parameter_supported. A valid authorization-code redirect from that server has no iss, so this helper throws before auth can complete the token exchange.
Artifacts
Repro: focused local OAuth missing issuer harness
- Contains supporting evidence from the run (text/javascript; charset=utf-8).
Repro: execution log showing helper throw before token exchange
- Keeps the command output available without making the summary code-heavy.
Ran code and verified through T-Rex
Prompt To Fix With AI
This is a comment left during a code review.
Path: src/examples/everything-client.ts
Line: 112-117
Comment:
**Allow missing issuer**
`handle401` always calls `getAuthorizationResponseIssuer()` before passing the value into `auth`, but `auth.validateAuthorizationResponseIssuer` accepts `undefined` when the authorization server does not advertise `authorization_response_iss_parameter_supported`. A valid authorization-code redirect from that server has no `iss`, so this helper throws before `auth` can complete the token exchange.
How can I resolve this? If you propose a fix, please make it concise.
Summary
Addresses #20.
issfor authorization-code exchanges and pass the captured issuer through the HTTP auth retry path.application_type, prefer Client ID Metadata Documents when advertised, and union scopes during re-authorization.check:auth-hardeningto the package verification gate and update conformance/readiness docs to separate passing client-auth evidence from the missing authorization-server target.Validation
corepack pnpm run verifypassed.corepack pnpm run e2e:draftpassed.corepack pnpm run conformance:client-authpassed: 14 scenarios, 569 checks, 0 failures, 0 warnings. Artifact:.local/conformance/client-auth-2026-06-27T22-09-51-088Z.corepack pnpm run conformance:authorizationrecorded the expected missing-target blocker because noMCP_AUTHORIZATION_CONFORMANCE_FILEorMCP_AUTHORIZATION_CONFORMANCE_URLwas configured. Artifact:.local/conformance/authorization-2026-06-27T22-08-03-278Z; readiness summary:.local/readiness-evidence/conformance-authorization.json.