feat(web): MCP OAuth consent page#1118
Conversation
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
supermemory-mcp | 651e304 | Jun 16 2026, 05:35 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
supermemory-app | 651e304 | Commit Preview URL Branch Preview URL |
Jun 16 2026, 05:36 PM |
|
Claude finished @Prasanna721's task in 2m 29s —— View job PR Review Complete
Overview: Adds OAuth consent UI for MCP clients with org picker, permission selection (read/write), and scoped access to specific spaces. Issues found:
Score: 8/10 The UI implementation is clean and well-structured. The main concern is the silent error handling on the scope-setting API call, which could lead to a mismatch between what the user approved and what access was actually granted. The rest of the code handles errors appropriately and the OAuth flow looks solid. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview: Adds OAuth consent UI for MCP clients with org picker, permission selection (read/write), and scoped access to specific spaces.
Issues found:
- Silent failure of
/v3/mcp/connect-scopecall — if saving the user's scope preferences fails, the OAuth consent still proceeds. The user may think they limited access to specific spaces, but the token could be issued with broader permissions.
Score: 8/10
The UI implementation is clean and well-structured. The main concern is the silent error handling on the scope-setting API call, which could lead to a mismatch between what the user approved and what access was actually granted. The rest of the code handles errors appropriately and the OAuth flow looks solid.
| if (!oauthQuery) { | ||
| setError( | ||
| "Missing authorization request. Start the flow again from your app.", | ||
| ) |
There was a problem hiding this comment.
Bug: Silent failure may grant broader access than user intended
If the /v3/mcp/connect-scope request fails (network error, 500, auth issue), the error is silently swallowed and the OAuth consent proceeds anyway. The user sees "Scoped access to spaces X, Y, Z" on the consent screen, approves, but their scope preferences weren't actually saved.
Depending on how the backend handles missing scope data, the issued token may have broader permissions than the user selected.
| ) | |
| }).catch((err) => { | |
| console.error("Failed to save scope preferences:", err) | |
| throw err // Abort consent if scope preferences can't be saved | |
| }) |
If you want to allow consent to proceed even on scope-save failure, at minimum log a warning and consider showing the user a notice that their scope preferences may not have been applied.
Merge activity
|
Consent + connect UI for the new OAuth 2.1 provider. The API side lives in mono#1812 (stacked on the Enterprise MCP PR). When an MCP client starts OAuth, this is the page where you pick the org and approve access. What's here: - `/oauth/consent`: the consent screen. Pick an organization (cards), then set access: permission (read / read+write) and scope (full, or scoped to specific container-tag spaces with a searchable picker). Approving hands the code back to the client. - `/connect`: plugin-aware entry for known clients (Claude Code, etc.). - `ConsentCard.tsx`: shared card component (org list with fade, dual-icon connecting header, scoped-spaces picker), built to reuse across plugins. - plus a fix to the mcp resource metadata. Pairs with mono#1812 (the API OAuth provider) and the Enterprise MCP PR. Draft until the end-to-end flow is verified.
graphite-app
Bot
force-pushed
the
Prasanna721/mcp-oauth-provider
branch
from
e6662bd to
651e304
Compare
2 participants
Consent + connect UI for the new OAuth 2.1 provider. The API side lives in mono#1812 (stacked on the Enterprise MCP PR). When an MCP client starts OAuth, this is the page where you pick the org and approve access.
What's here:
/oauth/consent: the consent screen. Pick an organization (cards), then set access: permission (read / read+write) and scope (full, or scoped to specific container-tag spaces with a searchable picker). Approving hands the code back to the client./connect: plugin-aware entry for known clients (Claude Code, etc.).ConsentCard.tsx: shared card component (org list with fade, dual-icon connecting header, scoped-spaces picker), built to reuse across plugins.Pairs with mono#1812 (the API OAuth provider) and the Enterprise MCP PR. Draft until the end-to-end flow is verified.