Initial support of dynamic auth providers for MCP

[TylerLeonhardt]

With this change, we support being able to on-the-fly create an Auth Provider based on an oauth-authorization-server's metadata.

MCP then leverages this because by following the MCP spec we can figure out the oauth server metadata and then request a token from that server.

The tokens are persisted and will be refreshed on demand... all based on the OAuth spec.

Fixes #247759

[lkchao-majority]

Hi @TylerLeonhardt,
Nice work!

I am contacting you to share some feedback if you don't mind.

1. When trying to reach my own MCP server with Google OAuth, VS Code is inserting an unexpected value into my callback request state, making it fail.

# request using VS Code native MCP oauth support
GET /google/callback?state=vscode-insiders%3A%2F%2Fdynamicauthprovider%2F ...
400 Bad Request

# request using mcp-remote
GET /google/callback?state=<randomstring>..
302 Found

2. When trying to connect to Atlassian or Linear MCP servers, VS Code is hanging while waiting for authorization after signing in.
   Waiting for server to respond to \initialize` request...`

Any idea what could be the issue? Thanks

[TylerLeonhardt]

@lkchao-majority can you open these as two new issues and we'll work through them? Please provide the platform you're on and what you're MCP config looks like in VS Code.

1. we use the state to redirect back to VS Code... since a lot of identity providers don't like the vscode://... I wanna know more about how you've setup OAuth for your server. Are you using a protected resource flow that delegates to Google or have you implemented an OAuth authorization server that will do a nested OAuth flow for Google?
2. I have tested both these MCP servers... Atlassian currently has a bad schema in one of their tools and we have a bug that doesn't let you disable that tool. That should be fixed soon. Linear did work for me. I did add some logging that'll be out Monday so hopefully we can look closer.

[jeanp413]

@TylerLeonhardt this is causing a Maximum call stack size exceeded error in the extension host, from the github authentication extension when running vscode in the browser, the extension should be responsible of disposing any of its resources rather than vscode doing it

[TylerLeonhardt]

Nice catch, I've removed that in #249845

[chiragraghani7]

@TylerLeonhardt Thank you for implementing dynamic auth providers for MCP! This is a significant enhancement.

I'm developing an MCP server that uses PingID for authentication, and I'm trying to integrate this authentication flow through VS Code Copilot Agent. Looking at your PR, I believe this will solve my current challenge.

A few questions:

1. What VS Code version should I target to leverage these dynamic auth providers?
2. Is there any documentation available on how to integrate an MCP server with these new changes?
3. My server is configured with Spring Security for OAuth2 login with PingID as the provider - are there any specific considerations or configuration changes I need to make to ensure compatibility with the VS Code dynamic auth flow?

For context, I've implemented basic OAuth2 security in my Spring WebFlux application, but I'm not sure how to properly expose the necessary OAuth metadata that VS Code would require under the new implementation.

Thanks for your help!

[TylerLeonhardt]

1. This will be available in 1.101 and higher.
2. You should follow the MCP spec although I recommend the draft spec as it is way nicer. If you do the right things, VS Code should "just work".
3. There needs to be support for Dynamic Client Registration so that VS Code can create a client id on the fly. The MCP spec calls this out.