🔐 feat: Add Resource Parameter to OAuth Requests per MCP Spec #8599
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks @rinormaloku Can you add more description to your PR? Motivation, testing, etc.? |
|
@danny-avila just did! your fast! |
Thanks! Do you have an MCP server to test this with? |
|
Sadly, just private ones, that I cannot share. However, as you can see, it simply logs a warning if it is absent and passes it otherwise. So this is backward compatible. And adheres to the spec, which (understandably), requires the Client, to specify for which resource they are requesting the access. |
danny-avila
changed the title
danny-avila
approved these changes
Jul 22, 2025
kenshinsamue
pushed a commit
to intelequia/LibreChat
that referenced
this pull request
Aug 4, 2025
omarchouikha-goreply
added a commit
to go-reply-de/go-genai-studio
that referenced
this pull request
Aug 5, 2025
* 🆕 feat: Enhanced Title Generation Config Options (danny-avila#8580) * 🏗️ refactor: Extract reasoning key logic into separate function * refactor: Ensure `overrideProvider` is always defined in `getProviderConfig` result, and only used in `initializeAgent` if different from `agent.provider` * feat: new title configuration options across services - titlePrompt - titleEndpoint - titlePromptTemplate - new "completion" titleMethod (new default) * chore: update @librechat/agents and conform openai version to prevent SDK errors * chore: add form-data package as a dependency and override to v4.0.4 to address CVE-2025-7783 * feat: add support for 'all' endpoint configuration in AppService and corresponding tests * refactor: replace HttpsProxyAgent with ProxyAgent from undici for improved proxy handling in assistant initialization * chore: update frontend review workflow to limit package paths to data-provider * chore: update backend review workflow to include all package paths * ✨ feat: Add MCP Reinitialization to MCPPanel (danny-avila#8418) * ✨ feat: Add MCP Reinitialization to MCPPanel - Refactored tool caching to include user-specific tools in various service files. - Refactored MCPManager class for clarity - Added a new endpoint for reinitializing MCP servers, allowing for dynamic updates of server configurations. - Enhanced the MCPPanel component to support server reinitialization with user feedback. * 🔃 refactor: Simplify Plugin Deduplication and Clear Cache Post-MCP Initialization - Replaced manual deduplication of tools with the dedicated `filterUniquePlugins` function for improved readability. - Added back cache clearing for tools after MCP initialization to ensure fresh data is used. - Removed unused exports from `PluginController.js` to clean up the codebase. * ☁️ fix: 'thinking' parameter default to false for Bedrock Conversations (danny-avila#8600) * 🧼 chore: Clean up Settings by Removing Beta tab and reorganizing imports * 🔀 feat: `moonshotai/kimi` Context and OpenRouter Endpoint Token Config (danny-avila#8604) * ✨ feat: Enhance agent initialization with endpoint token configuration and round max context tokens * feat: recognize moonshot/kimi model context window * chore: remove unused i18n key * 🌍 i18n: Update translation.json with latest translations (danny-avila#8602) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * 🗂️ feat: Add File Search Toggle Permission for Chat Area Badge (danny-avila#8605) * 🔐 feat: Add Resource Parameter to OAuth Requests per MCP Spec (danny-avila#8599) * ✔️ fix: Resource field TypeError & Missing Role Permission Type (danny-avila#8606) * fix: resource parameter undefined TypeError in log * chore: Add missing FILE_SEARCH permission type to IRole interface * chore: Bump version of @librechat/data-schemas to 0.0.11 * fix: Ensure resource is defined and handle potential null values in OAuth flow * 🔌 feat: MCP Reinitialization and OAuth in UI (danny-avila#8598) * ✨ feat: Add connection status endpoint for MCP servers - Implemented a new endpoint to retrieve the connection status of all MCP servers without disconnecting idle connections. - Enhanced MCPManager class with a method to get all user-specific connections. * feat: add silencer arg to loadCustomConfig function to conditionally print config details - Modified loadCustomConfig to accept a printConfig parameter that allows me to prevent the entire custom config being printed every time it is called * fix: new status endpoint actually works now, changes to manager.ts to support it - Updated the connection status endpoint to utilize Maps for app and user connections, rather than incorrectly treating them as objects. - Introduced a new method + variable in MCPManager to track servers requiring OAuth discovered at startup. - Stopped OAuth flow from continuing once detected during startup for a new connection * refactor: Remove hasAuthConfig since we can get that on the frontend without needing to use the endpoint * feat: Add MCP connection status query and query key for new endpoint - Introduced a new query hook `useMCPConnectionStatusQuery` to fetch the connection status of MCP servers. - Added request in data-service - Defined the API endpoint for retrieving MCP connection status in api-endpoints.ts. - Defined new types for MCP connection status responses in the types module. - Added mcpConnectionStatus key * feat: Enhance MCPSelect component with connection status and server configuration - Added connection status handling for MCP servers using the new `useMCPConnectionStatusQuery` hook. - Implemented logic to display appropriate status icons based on connection state and authentication configuration. - Updated the server selection logic to utilize configured MCP servers from the startup configuration. - Refactored the rendering of configuration buttons and status indicators for improved user interaction. * refactor: move MCPConfigDialog to its own MCP subdir in ui and update import * refactor: silence loadCustomConfig in status endpoint * feat: Add optional pluginKey parameter to getUserPluginAuthValue * feat: Add MCP authentication values endpoint and related queries - Implemented a new endpoint to check authentication value flags for specific MCP servers, returning boolean indicators for each custom user variable. - Added a corresponding query hook `useMCPAuthValuesQuery` to fetch authentication values from the frontend. - Defined the API endpoint for retrieving MCP authentication values in api-endpoints.ts. - Updated data-service to include a method for fetching MCP authentication values. - Introduced new types for MCP authentication values responses in the types module. - Added a new query key for MCP authentication values. * feat: Localize MCPSelect component status labels and aria attributes - Updated the MCPSelect component to use localized strings for connection status labels and aria attributes, enhancing accessibility and internationalization support. - Added new translation keys for various connection states in the translation.json file. * feat: Implement filtered MCP values selection based on connection status in MCPSelect - Added a new `filteredSetMCPValues` function to ensure only connected servers are selectable in the MCPSelect component. - Updated the rendering logic to visually indicate the connection status of servers by adjusting opacity. - Enhanced accessibility by localizing the aria-label for the configuration button. * feat: Add CustomUserVarsSection component for managing user variables - Introduced a new `CustomUserVarsSection` component to allow users to configure custom variables for MCP servers. - Integrated localization for user interface elements and added new translation keys for variable management. - Added functionality to save and revoke user variables, with visual indicators for set/unset states. * feat: Enhance MCPSelect and MCPConfigDialog with improved state management and UI updates - Integrated `useQueryClient` to refetch queries for tools, authentication values, and connection status upon successful plugin updates in MCPSelect. - Simplified plugin key handling by directly using the formatted plugin key in save and revoke operations. - Updated MCPConfigDialog to include server status indicators and improved dialog content structure for better user experience. - Added new translation key for active status in the localization files. * feat: Enhance MCPConfigDialog with dynamic server status badges and localization updates - Added a helper function to render status badges based on the connection state of the MCP server, improving user feedback on connection status. - Updated the localization files to include new translation keys for connection states such as "Connecting" and "Offline". - Refactored the dialog to utilize the new status rendering function for better code organization and readability. * feat: Implement OAuth handling and server initialization in MCP reinitialize flow - Added OAuth handling to the MCP reinitialize endpoint, allowing the server to capture and return OAuth URLs when required. - Updated the MCPConfigDialog to include a new ServerInitializationSection for managing server initialization and OAuth flow. - Enhanced the user experience by providing feedback on server status and OAuth requirements through localized messages. - Introduced new translation keys for OAuth-related messages in the localization files. - Refactored the MCPSelect component to remove unused authentication configuration props. * feat: Make OAuth actually work / update after OAuth link authorized - Improved the handling of OAuth flows in the MCP reinitialize process, allowing for immediate return when OAuth is initiated. - Updated the UserController to extract server names from plugin keys for better logging and connection management. - Enhanced the MCPSelect component to reflect authentication status based on OAuth requirements. - Implemented polling for OAuth completion in the ServerInitializationSection to improve user feedback during the connection process. - Refactored MCPManager to support new OAuth flow initiation logic and connection handling. * refactor: Simplify MCPPanel component and enhance server status display - Removed unused imports and state management related to user plugins and server reinitialization. - Integrated connection status handling directly into the MCPPanel for improved user feedback. - Updated the rendering logic to display server connection states with visual indicators. - Refactored the editing view to utilize new components for server initialization and custom user variables management. * chore: remove comments * chore: remove unused translation key for MCP panel * refactor: Rename returnOnOAuthInitiated to returnOnOAuth for clarity * refactor: attempt initialize on server click * feat: add cancel OAuth flow functionality and related UI updates * refactor: move server status icon logic into its own component * chore: remove old localization strings (makes more sense for icon labels to just use configure stirng since thats where it leads to) * fix: fix accessibility issues with MCPSelect * fix: add missing save/revoke mutation logic to MCPPanel * styling: add margin to checkmark in MultiSelect * fix: add back in customUserVars check to hide gear config icon for servers without customUserVars --------- Co-authored-by: Dustin Healy <[email protected]> Co-authored-by: Dustin Healy <[email protected]> * 🌍 i18n: Update translation.json with latest translations (danny-avila#8613) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * 🔗 fix: Set Abort Signal for Agent Chain Run if Cleaned Up (danny-avila#8625) * 🔁 feat: Allow "http" as Alias for "streamable-http" in MCP Options (danny-avila#8624) - Updated StreamableHTTPOptionsSchema to accept "http" alongside "streamable-http". - Enhanced isStreamableHTTPOptions function to handle both types and validate URLs accordingly. - Added tests to ensure correct processing of "http" type options and rejection of websocket URLs. * 🔳 fix: Bare Object MCP Tool Schemas as Passthrough (danny-avila#8637) * 🔳 fix: Bare Object MCP Tool Schemas as Passthrough * ci: Add cases for handling complex object schemas in convertJsonSchemaToZod * ℹ️ fix: Add back Removed Icons for MCP Servers in Tools Dialog (danny-avila#8636) * Bug: Fix icons for MCP servers * Add `OPENAI_API_KEY` to `jestSetup.js` to fix tests * 🌍 i18n: Update translation.json with latest translations (danny-avila#8639) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * ✨ v0.7.9 (danny-avila#8638) * chore: update version to v0.7.9 across all relevant files * 🔧 chore: bump @librechat/api version to 1.2.9 * 🔧 chore: update @librechat/data-schemas version to 0.0.12 * 🔧 chore: bump librechat-data-provider version to 0.7.902 * updated package-lock --------- Co-authored-by: Danny Avila <[email protected]> Co-authored-by: Dustin Healy <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Rinor Maloku <[email protected]> Co-authored-by: Dustin Healy <[email protected]> Co-authored-by: Sebastien Bruel <[email protected]>
xycjscs
pushed a commit
to xycjscs/LibreChat
that referenced
this pull request
Aug 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses this part of the spec https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#resource-parameter-implementation
MCP clients MUST implement Resource Indicators for OAuth 2.0 as defined in RFC 8707 to explicitly specify the target resource for which the token is being requested. The resource parameter: