Add OAuth 2.0 support for desktop platforms (Windows/macOS/Linux)

[Copilot]

OAuth-protected MCP servers (Atlassian, Notion) were only functional on web. Desktop apps threw UnsupportedError despite the infrastructure being partially in place.

Changes

Core OAuth Implementation

• Created oauth_io.dart implementing desktop OAuth flow via system browser + localhost callback server
• PKCE support (RFC 7636), public/confidential clients, dynamic port fallback
• Platform guards prevent mobile usage until proper implementation exists

Integration

• Changed conditional import: oauth_stub.dart → oauth_io.dart for dart:io platforms
• Removed !kIsWeb guards from McpServerProvider OAuth methods
• Platform-aware redirect URI generation: web uses ${origin}/oauth_callback.html, desktop uses http://localhost:8080/oauth/callback

Flow

// Desktop OAuth now works
final discovery = await provider.discoverOAuthForServer('https://mcp.atlassian.com/v1/mcp');
if (discovery.requiresOAuth) {
  await provider.autoAuthenticateServer(serverName, discovery);
  // Opens browser → user authorizes → localhost callback → token stored
}

Documentation

• Updated mcp_oauth_servers.md with desktop-specific flow, architecture diagrams, security considerations
• Added implementation notes explaining conditional imports and platform handling

The existing SSE/Streamable clients already inject Bearer tokens when available—no changes needed there.

Original prompt

daodao97#198

MCP Servers relying on OAuth daodao97#198
Open
Open
MCP Servers relying on OAuth
daodao97#198
@areisde
Description
areisde
opened on Aug 24, 2025
Hi there,

A few MCP servers like Atlassian or Notion require the MCP Client to authenticate one time in order to allow the connection. Is this something we will be able to do in the future with chatMCP ?

Thank you for your reply !

Activity
areisde
areisde commented on Aug 25, 2025
areisde
on Aug 25, 2025
Author
Update :

This feature is now implemented for the web version in PR daodao97#199 :

OAuth 2.0 auto-discovery and dynamic client registration for MCP servers (tested with Atlassian and Notion)
PKCE and Bearer token support for web clients
Documentation: "docs/mcp_oauth_servers.md"
Note: Currently supports web only
Thank you for considering this feature! Let me know if you have any questions or feedback.

matteo-rama
matteo-rama commented on Aug 25, 2025
matteo-rama
on Aug 25, 2025
there is any plan to add it in the desktop app?

daodao97
daodao97 commented on Aug 25, 2025
daodao97
on Aug 25, 2025
Owner
new version released v0.0.76

matteo-rama
matteo-rama commented on Sep 4, 2025
matteo-rama
on Sep 4, 2025
great thanks!

one more question, i think it doesn't support client crendential or at least i can't specify what flow of oauth use if oauth server support more.

do you think will be possible to add?

matteo-rama
matteo-rama commented on Sep 10, 2025
matteo-rama
on Sep 10, 2025
@daodao97 also another issue i am facing, aside the fact that not all oauth server support dynamic registration and rely in authenticate with clientsecret, i can say that if i enter
http://localhost:9090/sse
and check on log, i see the error with sse, but i don't see teh call at .wellknownhost nor any other subsequent call, that's strange isn't it? shouldn't it use that call to auto discover oauth server?

isidoromendez
isidoromendez commented on Nov 6, 2025
isidoromendez
on Nov 6, 2025 · edited by isidoromendez
Amazing app!!

I'm using 0.0.76 for windows, but oauth flow doesn´t start as response to the 401 from the initialize method from y mcp. My server use self-signed cert running locally. It works in claude desktop and mcp-inspector

we apreciate any help!!

Image Image
raspbeguy
raspbeguy commented 4 days ago
raspbeguy
4 days ago
Same problem for Android. I could also generate the token elsewhere and feed it to the app. Do you think this is possible?

harisonw
harisonw commented 1 hour ago
harisonw
1 hour ago
Amazing app!!

I'm using 0.0.76 for windows, but oauth flow doesn´t start as response to the 401 from the initialize method from y mcp. My server use self-signed cert running locally. It works in claude desktop and mcp-inspector

we apreciate any help!!

Image Image

Same for me I'm using 0.0.76 for Windows. Tried with Atlassian MCP.

fix this in the windows desktop app, sounds like its already been done in the web version

Expeted way of working: A supported client connects to the server endpoint:

https://mcp.atlassian.com/v1/mcp
A secure browser-based OAuth 2.1 flow is triggered.

Once authorized, the client streams contextual data and receives real-time responses from Jira, Compass, or Confluence.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.