feat(mcp-oauth): support static clientId for servers without DCR

[proyectoauraorg]

Related GitHub Issue

Aligned with VS Code 1.122 feature #257415 — MCP OAuth with custom clientId.

Description

Adds optional oauth.clientId field to MCP server configuration. When provided, the OAuth provider uses this clientId directly instead of performing Dynamic Client Registration (DCR). This enables connections to OAuth-protected MCP servers that don't support RFC 7591 DCR.

Use case: Many corporate and self-hosted MCP servers require a pre-registered clientId but don't support DCR. Currently, Zoo Code cannot connect to these servers via OAuth.

Changes:

• BaseConfigSchema: add oauth.clientId optional field
• McpOAuthClientProvider: accept clientId in create() options, use it in registerClientIfNeeded() to skip DCR
• McpHub: pass oauth.clientId from config to the provider
• Tests: 2 new tests covering static clientId and precedence over cached DCR data

Example configuration in .roo/mcp.json:

{
  "mcpServers": {
    "corporate-server": {
      "type": "streamable-http",
      "url": "https://mcp.corporate.example.com",
      "oauth": {
        "clientId": "my-app-id-12345"
      }
    }
  }
}

Test Procedure

Unit tests (104 passed):

cd src && npx vitest run services/mcp/__tests__/McpOAuthClientProvider.spec.ts services/mcp/__tests__/McpHub.spec.ts

• McpOAuthClientProvider.spec.ts — 44 tests (42 existing + 2 new for static clientId)
• McpHub.spec.ts — 60 tests (all existing, schema change verified)

New tests:

1. should use static clientId instead of performing DCR — verifies clientId is used directly
2. should use static clientId even when cached data exists — verifies static takes precedence over cached DCR

Pre-Submission Checklist

• Issue Linked: Aligned with VS Code 1.122 feature.
• Scope: Focused on static clientId support only.
• Self-Review: Thorough review performed.
• Testing: 2 new tests added, 104/104 pass.
• Documentation Impact: No doc updates needed (self-documenting config field).
• Contribution Guidelines: Read and agreed.

Documentation Updates

• No documentation updates are required.

Summary by CodeRabbit

• New Features

  • Server configuration schema now supports optional OAuth client ID specification. OAuth-backed server connections can utilize configured client identifiers, providing streamlined authentication setup with additional flexibility for various OAuth provider configurations.

• Tests

  • Added comprehensive test coverage validating static OAuth client ID functionality. Tests ensure proper client initialization behavior with cached credentials and verify correct operation across multiple authentication configuration scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 78b7cee1-c813-4302-a2bc-70822cb5a11a

📥 Commits

Reviewing files that changed from the base of the PR and between 4d71e5f and 396af15.

📒 Files selected for processing (3)

• src/services/mcp/McpHub.ts
• src/services/mcp/McpOAuthClientProvider.ts
• src/services/mcp/__tests__/McpOAuthClientProvider.spec.ts

---

📝 Walkthrough

Walkthrough

This PR adds support for an optional static OAuth clientId in MCP server configurations to bypass Dynamic Client Registration. The McpHub schema now accepts oauth.clientId, which is forwarded to McpOAuthClientProvider during streamable-http connection setup. The provider uses this static identifier to populate client info directly, avoiding DCR and SecretStorage registration steps. Tests verify both the basic static clientId usage and precedence over cached credentials.

Changes

Static OAuth clientId Configuration

Layer / File(s)	Summary
Configuration contract and hub integration src/services/mcp/McpHub.ts	ServerConfigSchema now includes optional oauth: { clientId?: string } configuration object, and McpHub passes configInjected.oauth?.clientId to McpOAuthClientProvider.create() when connecting streamable-http servers.
Provider static clientId support src/services/mcp/McpOAuthClientProvider.ts	McpOAuthClientProvider constructor stores optional _staticClientId, create() method signature extended to accept options: { skipDiscovery?, clientId? }, and registerClientIfNeeded() checks for static clientId to populate _clientInfo directly with client_id and redirectUrl, returning early and bypassing SecretStorage DCR.
Static clientId verification tests src/services/mcp/__tests__/McpOAuthClientProvider.spec.ts	Test group static clientId support verifies that provided clientId is used during registration instead of DCR, and that static clientId overrides any cached client_info in secret storage.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Zoo-Code-Org/Zoo-Code#1: This PR extends the OAuth 2.1 streamable-http implementation's dynamic client registration logic by adding a static clientId path to bypass DCR.

Suggested reviewers

• taltas

Poem

🐰 A static client hops right in,
No registration dance needed to win,
OAuth flows smooth, config so sweet,
DCR bypass makes the flow complete! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding static clientId support for MCP OAuth servers without DCR, which is the core objective of the PR.
Description check	✅ Passed	The PR description covers all required template sections: issue linkage, clear implementation details, comprehensive test procedure, and a complete pre-submission checklist. All critical sections are filled out.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

src/services/mcp/McpHub.ts

ESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox.

src/services/mcp/McpOAuthClientProvider.ts

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

src/services/mcp/__tests__/McpOAuthClientProvider.spec.ts

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 93.75000% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/services/mcp/McpHub.ts	83.33%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[edelauna]

Wouldn't this also require a secret?

This would also require the whole normal OAuth 2.0 flow to be available when provided. This is larger than a 3 file change.