Mirror: feat(mcp): re-enable oauth resource parameter and add discovery logging (#5331)

[jeremylongshore]

Mirror of Kilo-Org#5331

Field	Value
Upstream PR	#5331
Author	@jrf0110
Category	feature
Tier	2
Size	4 lines, 2 files
Status	APPROVED (ready to merge)

This PR mirrors the upstream change for multi-AI review analysis.

Changes

• Re-enable RFC 8707 resource parameter in OAuth authorization URL
• Add warning logs for RFC 8414 and OIDC metadata discovery failures

Bot Review Checklist

• CodeRabbit reviewed
• Gemini Code Assist reviewed
• Greptile reviewed
• CodeQL scanned
• Qodo PR-Agent reviewed

[coderabbitai]

Warning

Rate limit exceeded

@jeremylongshore has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 2 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch review/PR-5331

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @jeremylongshore, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the OAuth flow by re-enabling a crucial resource parameter, which improves the specificity of authorization requests. Additionally, it introduces logging for metadata discovery failures, providing better visibility and debuggability for issues related to authorization server configuration.

Highlights

• OAuth Resource Parameter Re-enabled: The RFC 8707 resource parameter has been re-enabled in the OAuth authorization URL, which was previously commented out due to Cloudflare compatibility concerns.
• Discovery Logging Added: Warning logs have been introduced for failures during RFC 8414 (OAuth 2.0 Authorization Server Metadata) and OIDC (OpenID Connect) metadata discovery processes, aiding in debugging.

Changelog

• src/services/mcp/oauth/McpAuthorizationDiscovery.ts
  • Added warning logs for failed RFC 8414 metadata fetches.
  • Added warning logs for failed OIDC metadata fetches.
• src/services/mcp/oauth/McpOAuthService.ts
  • Re-enabled the resource parameter in the OAuth authorization request, removing the previous comment.

Activity

• The pull request has undergone review by multiple bot services including CodeRabbit, Gemini Code Assist, Greptile, CodeQL, and Qodo PR-Agent.
• The pull request has been approved and is ready to merge.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Failed to generate code suggestions for PR

[gemini-code-assist]

Code Review

This pull request re-enables the RFC 8707 resource parameter in the OAuth flow and adds warning logs for metadata discovery failures. The changes are aligned with the PR's objectives. My review includes a high-severity comment regarding the removal of context about a potential provider-specific issue when re-enabling the resource parameter. I've also included two medium-severity suggestions to update comments to more accurately reflect the new logging behavior in error handling blocks.

[gemini-code-assist]

Re-enabling the resource parameter is a good step for broader RFC 8707 compliance. However, the previous comment mentioned a specific issue with Cloudflare. Removing this comment loses valuable context that could be important for future debugging or for users interacting with Cloudflare-based services. To improve maintainability, please consider either:

1. Adding a new comment explaining why it's safe to re-enable this (e.g., if the Cloudflare issue is resolved).
2. If the issue might still exist for some providers, making the inclusion of the resource parameter conditional.

[gemini-code-assist]

With the addition of console.warn, the error is no longer fully ignored. To avoid confusion, it would be clearer to update the comment to reflect that the error is logged before proceeding.

Suggested change

	// Ignore and try next
	console.warn(`Failed to fetch RFC 8414 metadata:`, e)
	// Log error and try next discovery method
	console.warn(`Failed to fetch RFC 8414 metadata:`, e)

[gemini-code-assist]

Similar to the previous catch block, the comment // Ignore fetch errors is now slightly misleading since the error is being logged. Please update the comment to reflect the new behavior.

Suggested change

	// Ignore fetch errors
	console.warn(`Failed to fetch OIDC metadata:`, e)
	// Log fetch errors and continue
	console.warn(`Failed to fetch OIDC metadata:`, e)

[jeremylongshore]

Review Summary

Aspect	Assessment
Verdict	APPROVE
Confidence	5/5
Risk	Low
Blocking Issues	0
Suggestions	1 (minor)

Checklist

• CI passes (all 11 checks green)
• Maintainer approved (@marius-kilocode)
• Changes match PR description
• No security concerns (logging, auth params)
• Changeset included (missing, but patch-level change)

Findings

1. Stale Comment (Minor)

Location: src/services/mcp/oauth/McpOAuthService.ts:187-188

The comment above the authorization params still says:

// Note: We don't include the 'resource' parameter by default as some servers
// (like Cloudflare) don't support RFC 8707 and return internal server error

But the code now does include the resource parameter:

resource: serverUrl,

Suggestion: Update or remove the comment to reflect the new behavior.

2. Cloudflare Compatibility (Context)

The original Kilo-Org#5297 PR disabled the resource parameter specifically because Cloudflare doesn't support RFC 8707. Re-enabling it will break Cloudflare-hosted MCP servers.

This is likely intentional (RFC compliance > single provider compatibility), but worth noting in changelog.

Verification

What	How	Result
CI	gh pr checks	11/11 pass
Maintainer approval	Review state	APPROVED
Bot reviews	Fork PR #10	Gemini: no issues. CodeRabbit: rate-limited (1 of 2 bots responded)
Type safety	check-types	PASS (22 packages)

Code Changes

// McpAuthorizationDiscovery.ts - Added logging
} catch (e) {
  console.warn(`Failed to fetch RFC 8414 metadata:`, e)
}
// ...
} catch (e) {
  console.warn(`Failed to fetch OIDC metadata:`, e)
}

// McpOAuthService.ts - Re-enabled resource param
-// resource: serverUrl, // Disabled: Cloudflare doesn't support RFC 8707
+resource: serverUrl,

Recommendation

APPROVE — Clean RFC 8707 compliance change with improved observability. The stale comment is minor and can be fixed in a follow-up.

---

Multi-AI analysis: Fork PR #10

[jeremylongshore]

Review Journal: kilocode Kilo-Org#5331

PR: #5331 |
Title: feat(mcp): re-enable oauth resource parameter and add discovery logging |
Author: @jrf0110 |
Category: feature | Tier: 2 | Size: 4 lines, 2 files | Confidence: 5/5

Multi-AI analysis: Fork PR #10 — CodeRabbit (rate-limited), Gemini (no issues)

---

Summary

This PR is a follow-up to the major MCP OAuth implementation in Kilo-Org#5297. It makes two changes: (1) re-enables the RFC 8707 resource parameter that was disabled for Cloudflare compatibility, and (2) adds warning logs when OAuth metadata discovery fails. Already approved by maintainer @marius-kilocode.

First Impressions

A 4-line PR with maintainer approval — should be fast. The feat(mcp): prefix suggests it's related to the MCP OAuth work. Linked to Kilo-Org#5297 which was a 45+ file OAuth implementation, so this is cleanup/enhancement.

What I Looked At

1. The PR diff — 2 files, 4 lines total
2. Issue feat(mcp): implement oauth 2.1 authorization for http transports Kilo-Org/kilocode#5297 — The parent OAuth implementation PR
3. Current code on main — McpOAuthService.ts around line 187-195
4. Fork PR Mirror: feat(mcp): re-enable oauth resource parameter and add discovery logging (#5331) #10 — Bot reviews
5. Upstream comments — kiloconnect bot noted comment/code mismatch

Analysis

Change 1: Re-enable resource parameter

The RFC 8707 resource parameter tells the authorization server which API the token is intended for. It was disabled in Kilo-Org#5297 because:

"Some servers (like Cloudflare) don't support RFC 8707 and return internal server error"

This PR re-enables it, prioritizing RFC compliance over Cloudflare compatibility. This is the right trade-off — RFC 8707 is a security feature that prevents token confusion attacks, and Cloudflare should fix their implementation rather than projects disabling security features.

Change 2: Discovery logging

Adding console.warn for failed RFC 8414 and OIDC metadata fetches. This is observability improvement — when OAuth fails, developers can now see which discovery method failed and why. Clean addition.

Stale comment

The kiloconnect bot correctly identified that the comment above the authorization params contradicts the new code. The comment says "we don't include the resource parameter" but the code now includes it. Minor issue, can be fixed in follow-up.

Bot Review Synthesis

Bot	Status	Findings
CodeRabbit	Rate-limited	-
Gemini	Reviewed	No issues, accurate summary
Greptile	No response	0/7 streak continues
CodeQL	Pending	-
Qodo	Failed	"Failed to generate code suggestions"

Gemini provided a clean summary but no actionable findings. CodeRabbit hit hourly rate limits from our batch work.

Verification

• CI: All 11 checks pass
• Maintainer: APPROVED by @marius-kilocode
• Type safety: check-types passes (22 packages)
• Blast radius: Changes are isolated to OAuth service layer

Lessons Learned

1. Already-approved PRs are fast — When a maintainer has approved, focus on blocking issues only
2. Comment/code mismatches are real findings — Even if minor, they create confusion for future readers
3. Bot rate limits affect batch work — CodeRabbit hourly limits hit when reviewing multiple PRs

Recommendation

APPROVE — Clean, focused enhancement with maintainer sign-off. The stale comment is minor.

---

_{Review #7 of 75 | Methodology: jeremylongshore/kilocode/.reviews | Reviewed with Claude Code}