Provider-specific MCP OAuth dispatch.
resolve_provider(url) returns the registered policy whose matches
predicate fires for url, with GenericProvider as the fallback.
Return the provider policy that owns server_url.
Fallback provider for spec-compliant MCP servers with no quirks.
Outcome of a provider's pre-handshake run_login step.
Base class for provider-specific OAuth dispatch.
Subclasses override matches plus whichever of client_metadata
and run_login they customize. The default implementations cover
the spec-compliant Authorization Code + PKCE + Dynamic Client
Registration path.
GitHub-hosted MCP: RFC 8628 Device Authorization Grant.
Slack-hosted MCP: paste-back Authorization Code with a public client.
Slack-hosted MCP OAuth provider.
Slack's hosted MCP endpoint uses the Authorization Code flow with a
hardcoded public client ID and the loopback redirect URI. The user
copy-pastes the redirected URL back into the CLI rather than running a
local server, and an optional team query parameter selects the
workspace to install the app into.
Policy interface for provider-specific MCP OAuth quirks.
Each concrete provider module (e.g. slack, github) subclasses
OAuthProvider to encode its own URL match rule, client metadata, and
any pre-handshake login steps (preseeding client info, running a
device flow, prompting for workspace IDs). mcp_auth dispatches to
the first matching provider via resolve_provider, so adding a new
provider is one new module plus one registry entry — no edits to
build_oauth_provider or login.
GitHub-hosted MCP OAuth provider.
GitHub's remote MCP at api.githubcopilot.com authenticates via RFC
8628 Device Authorization Grant — the CLI runs the device flow,
persists the resulting token plus a stub client-info record, and skips
the standard Authorization Code handshake entirely.
