feat: add HTTP client option to OAuthConfig

[sd2k]

Description

It's already possible to customize the underlying client used by the SSE
and streamable HTTP transports, but not the OAuth handler. This adds
an option to customize the underlying client used by the OAuth handler.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• MCP spec compatibility implementation
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring (no functional changes)
• Performance improvement
• Tests only (no functional changes)
• Other (please describe):

Checklist

• My code follows the code style of this project
• I have performed a self-review of my own code
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly

MCP Spec Compliance

• This PR implements a feature defined in the MCP specification
• Link to relevant spec section: Link text
• Implementation follows the specification exactly

Additional Information

It's a pretty tiny change and I've tested it out locally.

Summary by CodeRabbit

• New Features
  • Added the ability to configure a custom HTTP client for OAuth operations, enabling advanced networking settings (proxies, retries, transport tweaks). This gives admins finer control over connection behavior in restricted environments.
• Improvements
  • When not configured, OAuth requests now use a default client with a 30s timeout, improving reliability and preventing indefinite hangs.

[coderabbitai]

Walkthrough

Adds an injectable HTTP client to OAuth by adding HTTPClient *http.Client to OAuthConfig, setting a default 30s client in NewOAuthHandler when nil, and having OAuthHandler use config.HTTPClient instead of a hardcoded client.

Changes

Cohort / File(s)	Change summary
OAuth HTTP client injection client/transport/oauth.go	Added HTTPClient *http.Client to OAuthConfig; NewOAuthHandler sets a default 30s-timeout client if HTTPClient is nil; OAuthHandler uses config.HTTPClient instead of a hardcoded client.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• tra4less
• ezynda3

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description includes a summary but does not follow the repository’s template, missing the ## Description header, issue reference, Type of Change section with checkboxes, project checklist, and optional spec compliance or additional information sections, leaving critical metadata and validation steps unclear for reviewers.	Please update the PR description to follow the repository’s template by adding the ## Description header, referencing any related issue, completing the Type of Change and checklist sections, and including MCP spec compliance and additional information where relevant to ensure reviewers have all necessary context and metadata.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly summarizes the main change by indicating the addition of an HTTP client option to the OAuthConfig, matching the core update in the code without extraneous detail.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4138fc and d1d4fc1.

📒 Files selected for processing (1)

• client/transport/oauth.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Order imports: standard library first, then third-party, then local packages (goimports enforces this)
Follow Go naming conventions: exported identifiers in PascalCase; unexported in camelCase; acronyms uppercase (HTTP, JSON, MCP)
Error handling: return sentinel errors, wrap with fmt.Errorf("context: %w", err), and check with errors.Is/As
Prefer explicit types and strongly-typed structs; avoid using any except where protocol flexibility is required (e.g., Arguments any)
All exported types and functions must have GoDoc comments starting with the identifier name; avoid inline comments unless necessary
Functions that are handlers or long-running must accept context.Context as the first parameter
Ensure thread safety for shared state using sync.Mutex and document thread-safety requirements in comments
For JSON: use json struct tags with omitempty for optional fields; use json.RawMessage for flexible/deferred parsing

Files:

• client/transport/oauth.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: coverage

🔇 Additional comments (3)

client/transport/oauth.go (3)

37-39: Well-documented optional field following Go conventions.

The field documentation properly starts with the identifier name and clearly describes both the purpose and the nil-case behavior.

As per coding guidelines.

---

157-159: Clean initialization with sensible default timeout.

The nil-check and default initialization follows the same pattern as the TokenStore setup above it. The 30-second timeout is appropriate for OAuth operations including discovery, token exchange, and refresh requests.

---

163-163: Correct usage of the configured HTTP client.

The assignment properly uses the initialized config.HTTPClient, which is guaranteed to be non-nil after the check on lines 157-159.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d52180 and e4138fc.

📒 Files selected for processing (1)

• client/transport/oauth.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Order imports: standard library first, then third-party, then local packages (goimports enforces this)
Follow Go naming conventions: exported identifiers in PascalCase; unexported in camelCase; acronyms uppercase (HTTP, JSON, MCP)
Error handling: return sentinel errors, wrap with fmt.Errorf("context: %w", err), and check with errors.Is/As
Prefer explicit types and strongly-typed structs; avoid using any except where protocol flexibility is required (e.g., Arguments any)
All exported types and functions must have GoDoc comments starting with the identifier name; avoid inline comments unless necessary
Functions that are handlers or long-running must accept context.Context as the first parameter
Ensure thread safety for shared state using sync.Mutex and document thread-safety requirements in comments
For JSON: use json struct tags with omitempty for optional fields; use json.RawMessage for flexible/deferred parsing

Files:

• client/transport/oauth.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: coverage

🔇 Additional comments (1)

client/transport/oauth.go (1)

163-163: LGTM!

The assignment correctly uses the initialized HTTPClient from the config, enabling custom client injection throughout the OAuth handler operations.