fix: Direct OAuth Flow PKCE store mapping for provider identification#108
Merged
Conversation
- Add docs/getting-started/01-overview.md (framework overview) - Add docs/getting-started/02-http-session-management.md (header-based sessions) - Add docs/getting-started/03-tool-registry-http-mode.md (critical toolRegistry pattern) - Update CLAUDE.md.hbs template with Framework Source Code section Based on real-world adoption feedback from production use case. Addresses confusion around HTTP mode patterns and session management. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- OAuth Direct Flow provider identification fix - vibe-validate update to 0.17.4 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Update root version to 0.9.1-rc.2 - Update vibe-validate to 0.17.4 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Implemented PKCE validation logic (sha256 challenge verification) - Created helper functions to eliminate duplication: - createMockProvider(): Reduces mock provider creation boilerplate - computeCodeChallenge(): Centralizes PKCE challenge computation - Reduced duplicated code from 42 lines (14.3%) to near zero - Fixed ESLint: Use node:crypto instead of crypto Addresses SonarCloud feedback: - Completed TODO for PKCE validation - Eliminated duplicated mock provider patterns 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #107 - Direct OAuth Flow now works correctly with Claude Code and MCP Inspector.
Problem
Direct OAuth Flow (client-provided PKCE) was failing with
invalid_granterrors because the server wasn't storing authorization code mappings in the PKCE store. This prevented provider identification in multi-provider deployments.Solution
Always store authorization code mappings in PKCE store, using empty string
''as sentinel value for Direct OAuth Flow:code_verifier(server-generated)code_verifier)Changes
Core Fix
resolveCodeVerifierForTokenExchange()Testing
Documentation
Testing
✅ All validation tests passing (ran
vibe-validate validate)✅ Direct OAuth Flow tests (11 new test cases)
✅ OAuth Proxy Flow tests (existing tests still pass)
✅ Multi-provider routing tests
Breaking Changes
None - this is a bug fix that makes existing functionality work correctly.
Release Notes
Bug Fixes:
invalid_granterrorsDocumentation:
🤖 Generated with Claude Code
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com