Upgrade mcp client to latest, add state to oauth provider

[jescalan]

The mcp typescript sdk released a new version today as a minor, but it included potentially breaking changes, so I would recommend pushing this as a major (minor i suppose, since this lib is pre-1.0) if it does end up merging, since it makes a substantial change to the oauth server metadata discovery process. This PR upgrades to this latest version, and also adds the state param to the oauth provider, which is required by many oauth server implementations. I tested this on a mcp server that requires a state param, and it did work correctly though!

Some general notes on what will need to change on the mcp/resource server side as a result of the breaking changes:

• Previously, <mcp-endpoint>/.well-known/oauth-authorization-server was the default for metadata discovery
• Now, the sdk will go looking first for <mcp-endpoint>/.well-known/oauth-protected-resource, and if it finds this, will pull the authorization server urls.
• If there is only one authorization server url, it will then go to <auth-server-url>/.well-known/oauth-authorization-server and grab the authentication and registration endpoints from this result, and proceed
• If there is more than one authorization server url, or if <mcp-endpoint>/.well-known/oauth-protected-resource isn't present, it will fall back to the previous behavior of looking for <mcp-endpoint>/.well-known/oauth-authorization-server.

Hope this is somewhat helpful maybe for release notes? I think it won't be breaking for the vast majority of people in reality, since the case that does break is if oauth-protected-resource is implemented but points to a different oauth-authorization-server instance that is not spec compliant exactly or not configured accurately.

[phuctm97]

This is blocking for me as well.

[jescalan]

To bridge the gap, I have published this fork at @jescalan/mcp-remote so you're welcome to use that if it's helpful. Not ideal though, and I hope this can be merged and it will no longer be necessary soon 😁

[geelen]

Apologies, been out sick for a few days. Hoped to look at this today but didn't get to it.

I think if you rebase against main you should get a working build and you can use the pkg.pr.new URL to test this in the meantime. Or @jescalan's version will work too I suppose

[jescalan]

Rebased and pushed! Hope you're feeling better @geelen 💖

[pkg-pr-new]

Open in StackBlitz

npx https://pkg.pr.new/mcp-remote@93

commit: f1784d8

[geelen]

Alright this is out now as v0.1.12. I was trying to carve out time to properly grapple with the new auth flows, but realised that was just holding things up. So this is now out, and I'll circle back to look at that as soon as I can

[jescalan]

Hooray thank you! If it would be at all helpful or save you any time, happy to find some time chat more about the new auth flows, I have been knee-deep in them for weeks 😅