feat(integrations): MCP OAuth providers #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![cubic-dev-local[bot]](https://avatars.githubusercontent.com/u/189440881?s=60&v=4){kind=small}
Implements Model Context Protocol (MCP) OAuth 2.1 authorization code flow with: - MCPAuthProvider base class with dynamic endpoint discovery - PKCE enabled by default for OAuth 2.1 compliance - Resource parameter to identify MCP servers - RunReveal MCP provider for security data analysis - Atlassian MCP provider for Jira, Confluence, Compass OAuth endpoints are discovered automatically from /.well-known/oauth-authorization-server, eliminating the need for hardcoded endpoints. Scopes are determined by the authorization server based on user permissions. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
- Fix empty scopes handling in BaseOAuthProvider to avoid sending scope="" - Add fallback OAuth endpoint support for providers without discovery - Simplify GitHub and Microsoft MCP providers to use fallback pattern - Ensure all MCP providers handle empty scopes correctly 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
5 issues found across 8 files
Prompt for AI agents (all 5 issues)
Understand the root cause of the following 5 issues and fix them.
<file name="tracecat/integrations/providers/base.py">
<violation number="1" location="tracecat/integrations/providers/base.py:298">
The `MCPAuthProvider` constructor performs a synchronous, blocking HTTP request for endpoint discovery. Because provider instances are created for each API request, this will block the server's event loop and cause severe performance degradation for the entire application.</violation>
<violation number="2" location="tracecat/integrations/providers/base.py:314">
Discovery base URL omits the path component of `_mcp_server_uri`, breaking well-known discovery for path-based issuers. Include `parsed.path` in the base URL.</violation>
</file>
<file name="tracecat/integrations/providers/github/mcp.py">
<violation number="1" location="tracecat/integrations/providers/github/mcp.py:40">
requires_config=False likely misleads the UI; this provider needs pre-configured client credentials since no dynamic registration is performed and fallback endpoints are used.</violation>
</file>
<file name="tracecat/integrations/providers/microsoft/mcp.py">
<violation number="1" location="tracecat/integrations/providers/microsoft/mcp.py:35">
Empty default scopes mean no scope is sent; if using scope-based endpoints, this can cause invalid_request/invalid_scope errors. Provide appropriate scopes or use endpoints that support resource.</violation>
<violation number="2" location="tracecat/integrations/providers/microsoft/mcp.py:55">
api_docs_url likely inaccurate; link to official Microsoft Learn or Microsoft identity/MCP documentation.
*DEV MODE: This violation would have been filtered out by screening filters. Failing filters: uncertaintyLanguage.*
DEV MODE: This violation would have been filtered out by GPT-5.
Reasoning:
• **GPT-5**: API docs URL concern is speculative and low impact; not a clear, high-confidence technical issue.
• **Libraries consulted**: Microsoft identity platform v2 endpoint resource parameter scopes authorize token, Azure AD v2.0 endpoint resource parameter not supported scope required authorize token, Microsoft identity platform v1 vs v2 endpoint resource parameter scopes documentation authorize token endpoint, learn.microsoft.com Microsoft identity platform v2 endpoint scopes resource parameter authorize token documentation, Entra-docs</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| def _get_base_url(self) -> str: | ||
| """Extract base URL from MCP server URI.""" | ||
| parsed = urlparse(self._mcp_server_uri) | ||
| return f"{parsed.scheme}://{parsed.netloc}" |
There was a problem hiding this comment.
Discovery base URL omits the path component of _mcp_server_uri, breaking well-known discovery for path-based issuers. Include parsed.path in the base URL.
Prompt for AI agents
Address the following comment on tracecat/integrations/providers/base.py at line 314:
<comment>Discovery base URL omits the path component of `_mcp_server_uri`, breaking well-known discovery for path-based issuers. Include `parsed.path` in the base URL.</comment>
<file context>
@@ -269,3 +274,113 @@ async def get_client_credentials_token(self) -> TokenResponse:
+ def _get_base_url(self) -> str:
+ """Extract base URL from MCP server URI."""
+ parsed = urlparse(self._mcp_server_uri)
+ return f"{parsed.scheme}://{parsed.netloc}"
+
+ def _discover_oauth_endpoints(self) -> None:
</file context>
[internal] Confidence score: 9/10
[internal] Posted by: General AI Review Agent
Suggested change
| return f"{parsed.scheme}://{parsed.netloc}" | |
| return f"{parsed.scheme}://{parsed.netloc}{parsed.path.rstrip('/')}" |
| name="GitHub Copilot MCP", | ||
| description="GitHub Copilot Model Context Protocol OAuth provider for AI-powered development assistance", | ||
| enabled=True, | ||
| requires_config=False, |
There was a problem hiding this comment.
requires_config=False likely misleads the UI; this provider needs pre-configured client credentials since no dynamic registration is performed and fallback endpoints are used.
Prompt for AI agents
Address the following comment on tracecat/integrations/providers/github/mcp.py at line 40:
<comment>requires_config=False likely misleads the UI; this provider needs pre-configured client credentials since no dynamic registration is performed and fallback endpoints are used.</comment>
<file context>
@@ -0,0 +1,52 @@
+ name="GitHub Copilot MCP",
+ description="GitHub Copilot Model Context Protocol OAuth provider for AI-powered development assistance",
+ enabled=True,
+ requires_config=False,
+ setup_instructions=(
+ "Connect to GitHub Copilot MCP to enable AI-powered code assistance and repository context. "
</file context>
[internal] Confidence score: 8/10
[internal] Posted by: General AI Review Agent
Suggested change
| requires_config=False, | |
| requires_config=True, |
| self.logger = logger.bind(service=f"{self.__class__.__name__}") | ||
|
|
||
| # Discover OAuth endpoints before parent initialization | ||
| self._discover_oauth_endpoints() |
There was a problem hiding this comment.
The MCPAuthProvider constructor performs a synchronous, blocking HTTP request for endpoint discovery. Because provider instances are created for each API request, this will block the server's event loop and cause severe performance degradation for the entire application.
Prompt for AI agents
Address the following comment on tracecat/integrations/providers/base.py at line 298:
<comment>The `MCPAuthProvider` constructor performs a synchronous, blocking HTTP request for endpoint discovery. Because provider instances are created for each API request, this will block the server's event loop and cause severe performance degradation for the entire application.</comment>
<file context>
@@ -269,3 +274,113 @@ async def get_client_credentials_token(self) -> TokenResponse:
+ self.logger = logger.bind(service=f"{self.__class__.__name__}")
+
+ # Discover OAuth endpoints before parent initialization
+ self._discover_oauth_endpoints()
+ super().__init__(**kwargs)
+
</file context>
[internal] Confidence score: 10/10
[internal] Posted by: System Design Agent
| "Review and approve the OAuth permissions", | ||
| "Complete authorization to enable Microsoft Learn MCP integration", | ||
| ], | ||
| api_docs_url="https://github.com/microsoft/mcp", |
There was a problem hiding this comment.
api_docs_url likely inaccurate; link to official Microsoft Learn or Microsoft identity/MCP documentation.
DEV MODE: This violation would have been filtered out by screening filters. Failing filters: uncertaintyLanguage.
DEV MODE: This violation would have been filtered out by GPT-5.
Reasoning:
• GPT-5: API docs URL concern is speculative and low impact; not a clear, high-confidence technical issue.
• Libraries consulted: Microsoft identity platform v2 endpoint resource parameter scopes authorize token, Azure AD v2.0 endpoint resource parameter not supported scope required authorize token, Microsoft identity platform v1 vs v2 endpoint resource parameter scopes documentation authorize token endpoint, learn.microsoft.com Microsoft identity platform v2 endpoint scopes resource parameter authorize token documentation, Entra-docs
Prompt for AI agents
Address the following comment on tracecat/integrations/providers/microsoft/mcp.py at line 55:
<comment>api_docs_url likely inaccurate; link to official Microsoft Learn or Microsoft identity/MCP documentation.
*DEV MODE: This violation would have been filtered out by screening filters. Failing filters: uncertaintyLanguage.*
DEV MODE: This violation would have been filtered out by GPT-5.
Reasoning:
• **GPT-5**: API docs URL concern is speculative and low impact; not a clear, high-confidence technical issue.
• **Libraries consulted**: Microsoft identity platform v2 endpoint resource parameter scopes authorize token, Azure AD v2.0 endpoint resource parameter not supported scope required authorize token, Microsoft identity platform v1 vs v2 endpoint resource parameter scopes documentation authorize token endpoint, learn.microsoft.com Microsoft identity platform v2 endpoint scopes resource parameter authorize token documentation, Entra-docs</comment>
<file context>
@@ -0,0 +1,56 @@
+ "Review and approve the OAuth permissions",
+ "Complete authorization to enable Microsoft Learn MCP integration",
+ ],
+ api_docs_url="https://github.com/microsoft/mcp",
+ )
</file context>
[internal] Confidence score: 6/10
[internal] Posted by: General AI Review Agent
| ) | ||
|
|
||
| # No default scopes - authorization server determines based on user permissions | ||
| scopes: ClassVar[ProviderScopes] = ProviderScopes(default=[]) |
There was a problem hiding this comment.
Empty default scopes mean no scope is sent; if using scope-based endpoints, this can cause invalid_request/invalid_scope errors. Provide appropriate scopes or use endpoints that support resource.
Prompt for AI agents
Address the following comment on tracecat/integrations/providers/microsoft/mcp.py at line 35:
<comment>Empty default scopes mean no scope is sent; if using scope-based endpoints, this can cause invalid_request/invalid_scope errors. Provide appropriate scopes or use endpoints that support resource.</comment>
<file context>
@@ -0,0 +1,56 @@
+ )
+
+ # No default scopes - authorization server determines based on user permissions
+ scopes: ClassVar[ProviderScopes] = ProviderScopes(default=[])
+
+ # Provider metadata
</file context>
[internal] Confidence score: 7/10
[internal] Posted by: General AI Review Agent
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Add MCP OAuth 2.1 support with dynamic discovery and UI changes for seamless “Connect” flows. Introduces GitHub, Linear, Notion, RunReveal, and Sentry MCP integrations.
New Features
Bug Fixes