Skip to content

feat(auth): add --redirect-uri + --token-endpoint-auth-method to register-client#894

Open
panda850819 wants to merge 1 commit into
garrytan:masterfrom
panda850819:feat/register-client-redirect-uri-flags
Open

feat(auth): add --redirect-uri + --token-endpoint-auth-method to register-client#894
panda850819 wants to merge 1 commit into
garrytan:masterfrom
panda850819:feat/register-client-redirect-uri-flags

Conversation

@panda850819

@panda850819 panda850819 commented May 12, 2026
edited by blacksmith-sh Bot
Loading

Copy link
Copy Markdown

Summary

gbrain auth register-client previously hard-coded redirect_uris = [] and token_endpoint_auth_method = NULL, which made the CLI unusable for the case SECURITY.md itself recommends it for — pre-registering Claude.ai / ChatGPT custom connectors so operators can run with --enable-dcr off.

New flags:

  • --redirect-uri <uri> (repeatable; required for authorization_code clients)
  • --token-endpoint-auth-method <method> (client_secret_post | none; ChatGPT custom connectors use none)

Auth-method values are validated against a new ALLOWED_TOKEN_ENDPOINT_AUTH_METHODS set that mirrors what the MCP SDK's mcpAuthRouter advertises in token_endpoint_auth_methods_supported. Unknown values fail loud at registration.

The failure mode this fixes

Before this PR, the SECURITY.md-recommended hardening path falls apart at step 2:

  1. Operator drops --enable-dcr, runs gbrain auth register-client claude-ai --grant-types authorization_code,refresh_token --scopes "read write".
  2. Pastes the client_id/secret into Claude.ai → /authorize returns {\"error\":\"invalid_request\",\"error_description\":\"Unregistered redirect_uri\"}.
  3. Operator UPDATEs oauth_clients by hand to add the callback URLs, and again for token_endpoint_auth_method = 'none' to make ChatGPT's PKCE-only flow work.

Worked example after this PR

```bash
gbrain auth register-client claude-ai \
--grant-types authorization_code,refresh_token \
--scopes "read write" \
--redirect-uri https://claude.ai/api/mcp/auth_callback \
--redirect-uri https://claude.com/api/mcp/auth_callback

gbrain auth register-client chatgpt \
--grant-types authorization_code,refresh_token \
--scopes "read write" \
--redirect-uri https://chatgpt.com/connector/oauth/ \
--token-endpoint-auth-method none
```

Test plan

  • `bun test test/oauth.test.ts` — 68 pass (4 new: redirect_uris persistence, `none` persistence, default `client_secret_post` fallback, unsupported-method rejection)
  • Tested live against `https://brain.pdzeng.com\` (DCR disabled) with both Claude.ai and ChatGPT custom-connector flows — both reach `/authorize`, complete consent, and get `read,write` tokens.

Notes

  • No DB schema change. `oauth_clients.token_endpoint_auth_method TEXT` already exists; the INSERT now sets it instead of leaving it NULL.
  • Backward compatible: omitting both new flags reproduces today's behavior, except `token_endpoint_auth_method` defaults to `'client_secret_post'` explicitly instead of NULL — matching the DCR path (`oauth-provider.ts` line ~184).
  • The CLI usage block + the typed signature on `registerClientManual` both expose the new fields.

🤖 Generated with Claude Code

View in Codesmith
Need help on this PR? Tag @codesmith with what you need.

  • Let Codesmith autofix CI failures and bot reviews

@panda850819 @claude
feat(auth): add --redirect-uri + --token-endpoint-auth-method flags t…
9ad0b97 
…o register-client

`gbrain auth register-client` previously hard-coded `redirect_uris = []` and
`token_endpoint_auth_method = NULL` when persisting the client. That made the
CLI unusable for the most common case it's recommended for: pre-registering
Claude.ai / ChatGPT custom connectors so SECURITY.md's "don't enable open DCR"
guidance can actually be followed.

The failure mode:
  1. Operator follows SECURITY.md "If you must use a custom HTTP wrapper",
     drops --enable-dcr, runs `gbrain auth register-client claude-ai ...`.
  2. Pastes client_id/secret into Claude.ai → /authorize returns
     `invalid_request: Unregistered redirect_uri`.
  3. ChatGPT additionally needs token_endpoint_auth_method=none for its
     PKCE-only flow.
  4. Operator has to `UPDATE oauth_clients SET redirect_uris=ARRAY[...],
     token_endpoint_auth_method=...` by hand against the live DB.

New flags:
  --redirect-uri <uri>                    (repeatable)
  --token-endpoint-auth-method <method>   (client_secret_post | none)

Auth-method values are validated against ALLOWED_TOKEN_ENDPOINT_AUTH_METHODS,
which mirrors what `mcpAuthRouter` advertises in
token_endpoint_auth_methods_supported. Unknown values fail loud at registration
instead of silently producing an unauthorizable client.

Tests cover: redirect_uris persistence, auth-method persistence (`none`),
default fallback to client_secret_post, and rejection of unsupported methods.

Worked example (now possible without UPDATE):

  gbrain auth register-client claude-ai \
    --grant-types authorization_code,refresh_token \
    --scopes "read write" \
    --redirect-uri https://claude.ai/api/mcp/auth_callback \
    --redirect-uri https://claude.com/api/mcp/auth_callback

  gbrain auth register-client chatgpt \
    --grant-types authorization_code,refresh_token \
    --scopes "read write" \
    --redirect-uri https://chatgpt.com/connector/oauth/<HASH> \
    --token-endpoint-auth-method none

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@garrytan garrytan mentioned this pull request May 25, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@panda850819