feat(auth): migrate from mcp() to oauthProvider() for OAuth 2.1

apps/api/package.json

@@ -12,6 +12,7 @@
 	},
 	"dependencies": {
 		"@anthropic-ai/sdk": "^0.72.1",
+		"@better-auth/oauth-provider": "1.4.18",
 		"@electric-sql/client": "https://pkg.pr.new/@electric-sql/client@3724",
 		"@linear/sdk": "^68.1.0",
 		"@modelcontextprotocol/sdk": "^1.25.3",

apps/api/src/app/.well-known/oauth-authorization-server/[...path]/route.ts

@@ -0,0 +1,4 @@
+import { oauthProviderAuthServerMetadata } from "@better-auth/oauth-provider";
+import { auth } from "@superset/auth/server";
+
+export const GET = oauthProviderAuthServerMetadata(auth);

apps/api/src/app/.well-known/oauth-authorization-server/route.ts

@@ -1,4 +1,4 @@
+import { oauthProviderAuthServerMetadata } from "@better-auth/oauth-provider";
 import { auth } from "@superset/auth/server";
-import { oAuthDiscoveryMetadata } from "better-auth/plugins";
 
-export const GET = oAuthDiscoveryMetadata(auth);
+export const GET = oauthProviderAuthServerMetadata(auth);

apps/api/src/app/.well-known/oauth-protected-resource/[...path]/route.ts

@@ -0,0 +1,7 @@
+import { protectedResourceHandler } from "mcp-handler";
+import { env } from "@/env";
+
+export const GET = protectedResourceHandler({
+	authServerUrls: [env.NEXT_PUBLIC_API_URL],
+	resourceUrl: env.NEXT_PUBLIC_API_URL,
+});

apps/api/src/app/.well-known/oauth-protected-resource/route.ts

@@ -1,4 +1,7 @@
-import { auth } from "@superset/auth/server";
-import { oAuthProtectedResourceMetadata } from "better-auth/plugins";
+import { protectedResourceHandler } from "mcp-handler";
+import { env } from "@/env";
 
-export const GET = oAuthProtectedResourceMetadata(auth);
+export const GET = protectedResourceHandler({
+	authServerUrls: [env.NEXT_PUBLIC_API_URL],
+	resourceUrl: env.NEXT_PUBLIC_API_URL,
+});

apps/api/src/app/.well-known/openid-configuration/[...path]/route.ts

@@ -0,0 +1,4 @@
+import { oauthProviderOpenIdConfigMetadata } from "@better-auth/oauth-provider";
+import { auth } from "@superset/auth/server";
+
+export const GET = oauthProviderOpenIdConfigMetadata(auth);

apps/api/src/app/.well-known/openid-configuration/route.ts

@@ -0,0 +1,4 @@
+import { oauthProviderOpenIdConfigMetadata } from "@better-auth/oauth-provider";
+import { auth } from "@superset/auth/server";
+
+export const GET = oauthProviderOpenIdConfigMetadata(auth);

apps/api/src/app/api/agent/[transport]/route.ts

@@ -1,11 +1,12 @@
 import { auth } from "@superset/auth/server";
 import { registerTools } from "@superset/mcp";
 import type { McpContext } from "@superset/mcp/auth";
+import { verifyAccessToken } from "better-auth/oauth2";
 import { createMcpHandler, withMcpAuth } from "mcp-handler";
 import { env } from "@/env";
 
 async function verifyToken(req: Request, bearerToken?: string) {
-	// 1. Try session auth
+	// 1. Try session auth (for desktop/web app)
 	const session = await auth.api.getSession({ headers: req.headers });
 	if (session?.session) {
 		const extendedSession = session.session as {
@@ -28,35 +29,44 @@ async function verifyToken(req: Request, bearerToken?: string) {
 		};
 	}
 
-	// 2. Try OAuth bearer token
+	// 2. Try OAuth access token verification via JWKS
 	if (bearerToken) {
-		const mcpSession = await auth.api.getMcpSession({ headers: req.headers });
-		if (!mcpSession) return undefined;
+		try {
+			const payload = await verifyAccessToken(bearerToken, {
+				jwksUrl: `${env.NEXT_PUBLIC_API_URL}/api/auth/jwks`,
+				verifyOptions: {
+					issuer: env.NEXT_PUBLIC_API_URL,
+					audience: [env.NEXT_PUBLIC_API_URL, `${env.NEXT_PUBLIC_API_URL}/`],
+				},
+			});
+			if (!payload?.sub || !payload.organizationId) {
+				console.error(
+					"[mcp/auth] Access token missing sub or organizationId claim",
+				);
+				return undefined;
+			}
 
-		const scopes = Array.isArray(mcpSession.scopes)
-			? mcpSession.scopes
-			: (mcpSession.scopes?.split(" ") ?? []);
+			const scopes = Array.isArray(payload.scope)
+				? (payload.scope as string[])
+				: typeof payload.scope === "string"
+					? payload.scope.split(" ")
+					: [];
 
-		// Get organization from scope
-		const orgScope = scopes.find((s) => s.startsWith("organization:"));
-		const organizationId = orgScope?.split(":")[1];
-
-		if (!organizationId) {
-			console.error("[mcp/auth] OAuth token missing organization scope");
+			return {
+				token: bearerToken,
+				clientId: (payload.azp as string) ?? "mcp-client",
+				scopes,
+				extra: {
+					mcpContext: {
+						userId: payload.sub,
+						organizationId: payload.organizationId as string,
+					} satisfies McpContext,
+				},
+			};
+		} catch (error) {
+			console.error("[mcp/auth] Access token verification failed:", error);
 			return undefined;
 		}
-
-		return {
-			token: bearerToken,
-			clientId: mcpSession.clientId ?? "mcp-client",
-			scopes,
-			extra: {
-				mcpContext: {
-					userId: mcpSession.userId,
-					organizationId,
-				} satisfies McpContext,
-			},
-		};
 	}
 
 	return undefined;

apps/docs/content/docs/mcp.mdx

@@ -57,13 +57,7 @@ Add a `.mcp.json` to your project root. Claude Code auto-discovers this file and
   "mcpServers": {
     "superset": {
       "type": "http",
-      "url": "https://api.superset.sh/api/agent/mcp",
-      "oauth": {
-        "clientId": "claude-code",
-        "authorizationUrl": "https://api.superset.sh/api/auth/mcp/authorize",
-        "tokenUrl": "https://api.superset.sh/api/auth/mcp/token",
-        "scopes": ["openid", "profile", "email"]
-      }
+      "url": "https://api.superset.sh/api/agent/mcp"
     }
   }
 }
@@ -126,8 +120,7 @@ Add to your `opencode.json`:
   "mcp": {
     "superset": {
       "type": "remote",
-      "url": "https://api.superset.sh/api/agent/mcp",
-      "enabled": true
+      "url": "https://api.superset.sh/api/agent/mcp"
     }
   }
 }

apps/web/src/app/oauth/consent/components/ConsentForm/ConsentForm.tsx

@@ -1,5 +1,6 @@
 "use client";
 
+import { authClient } from "@superset/auth/client";
 import { Button } from "@superset/ui/button";
 import {
 	Select,
@@ -24,7 +25,6 @@ interface Organization {
 }
 
 interface ConsentFormProps {
-	consentCode: string;
 	clientId: string;
 	clientName?: string;
 	scopes: string[];
@@ -56,7 +56,6 @@ const SCOPE_DESCRIPTIONS: Record<
 };
 
 export function ConsentForm({
-	consentCode,
 	clientId,
 	clientName,
 	scopes,
@@ -74,63 +73,41 @@ export function ConsentForm({
 	const selectedOrg = organizations.find((o) => o.id === selectedOrgId);
 
 	const handleConsent = async (accept: boolean) => {
+		if (accept && !selectedOrgId) {
+			setError("Please select an organization");
+			return;
+		}
+
 		setIsLoading(true);
 		setError(null);
 
 		try {
-			// Add organization scope to verification value before consent
-			// (Better Auth's consent endpoint doesn't accept scope in body)
-			if (accept && selectedOrgId) {
-				const addScopeResponse = await fetch(
-					`${process.env.NEXT_PUBLIC_API_URL}/api/auth/oauth/add-org-scope`,
-					{
-						method: "POST",
-						headers: {
-							"Content-Type": "application/json",
-						},
-						credentials: "include",
-						body: JSON.stringify({
-							consent_code: consentCode,
-							organizationId: selectedOrgId,
-						}),
-					},
-				);
-
-				if (!addScopeResponse.ok) {
-					const data = await addScopeResponse.json();
-					throw new Error(data.error || "Failed to set organization scope");
+			if (accept) {
+				const { error: setActiveError } =
+					await authClient.organization.setActive({
+						organizationId: selectedOrgId,
+					});
+				if (setActiveError) {
+					throw new Error(
+						setActiveError.message ?? "Failed to set organization",
+					);
 				}
 			}
 
-			const response = await fetch(
-				`${process.env.NEXT_PUBLIC_API_URL}/api/auth/oauth2/consent`,
-				{
-					method: "POST",
-					headers: {
-						"Content-Type": "application/json",
-					},
-					credentials: "include",
-					body: JSON.stringify({
-						accept,
-						consent_code: consentCode,
-					}),
-				},
-			);
-
-			const data = await response.json();
+			const { data, error: consentError } = await authClient.oauth2.consent({
+				accept,
+				scope: accept ? scopes.join(" ") : undefined,
+			});
 
-			if (!response.ok) {
-				throw new Error(
-					data.error_description || data.message || "Failed to process consent",
-				);
+			if (consentError) {
+				throw new Error(consentError.message ?? "Failed to process consent");
 			}
 
-			const redirectUrl = data.redirectURI || data.redirectTo;
-			if (redirectUrl) {
-				window.location.href = redirectUrl;
+			if (data?.uri) {
+				window.location.href = data.uri;
 			}
 		} catch (err) {
-			console.error("Consent error:", err);
+			console.error("[oauth/consent] Error:", err);
 			setError(err instanceof Error ? err.message : "An error occurred");
 			setIsLoading(false);
 		}

apps/web/src/app/oauth/consent/page.tsx

@@ -9,11 +9,7 @@ import { api } from "@/trpc/server";
 import { ConsentForm } from "./components/ConsentForm";
 
 interface ConsentPageProps {
-	searchParams: Promise<{
-		consent_code?: string;
-		client_id?: string;
-		scope?: string;
-	}>;
+	searchParams: Promise<Record<string, string>>;
 }
 
 export default async function ConsentPage({ searchParams }: ConsentPageProps) {
@@ -23,13 +19,14 @@ export default async function ConsentPage({ searchParams }: ConsentPageProps) {
 
 	if (!session) {
 		const params = await searchParams;
-		const returnUrl = `/oauth/consent?${new URLSearchParams(params as Record<string, string>).toString()}`;
+		const returnUrl = `/oauth/consent?${new URLSearchParams(params).toString()}`;
 		redirect(`/sign-in?redirect=${encodeURIComponent(returnUrl)}`);
 	}
 
-	const { consent_code, client_id, scope } = await searchParams;
+	const params = await searchParams;
+	const { client_id, scope } = params;
 
-	if (!consent_code || !client_id) {
+	if (!client_id) {
 		return (
 			<div className="relative flex min-h-screen flex-col">
 				<header className="container mx-auto px-6 py-6">
@@ -64,7 +61,7 @@ export default async function ConsentPage({ searchParams }: ConsentPageProps) {
 	const trpc = await api();
 	const userOrganizations = await trpc.user.myOrganizations.query();
 
-	const oauthApp = await db.query.oauthApplications.findFirst({
+	const oauthApp = await db.query.oauthClients.findFirst({
 		where: (table, { eq }) => eq(table.clientId, client_id),
 		columns: { name: true },
 	});
@@ -90,7 +87,6 @@ export default async function ConsentPage({ searchParams }: ConsentPageProps) {
 			</header>
 			<main className="flex flex-1 items-center justify-center">
 				<ConsentForm
-					consentCode={consent_code}
 					clientId={client_id}
 					clientName={oauthApp?.name ?? undefined}
 					scopes={scopes}

packages/auth/package.json

@@ -27,6 +27,7 @@
 	},
 	"dependencies": {
 		"@better-auth/expo": "1.4.18",
+		"@better-auth/oauth-provider": "1.4.18",
 		"@better-auth/stripe": "1.4.18",
 		"@superset/db": "workspace:*",
 		"@superset/email": "workspace:*",

packages/auth/src/client.ts

@@ -1,5 +1,6 @@
 "use client";
 
+import { oauthProviderClient } from "@better-auth/oauth-provider/client";
 import { stripeClient } from "@better-auth/stripe/client";
 import type { auth } from "@superset/auth/server";
 import {
@@ -16,5 +17,6 @@ export const authClient = createAuthClient({
 		customSessionClient<typeof auth>(),
 		stripeClient({ subscription: true }),
 		apiKeyClient(),
+		oauthProviderClient(),
 	],
 });