Skip to content

fix(mcp): register OAuth callback before opening browser#9646

Merged
rekram1-node merged 1 commit into
anomalyco:devfrom
msvechla:fix/oauth-race-condition
Jan 20, 2026
Merged

fix(mcp): register OAuth callback before opening browser#9646
rekram1-node merged 1 commit into
anomalyco:devfrom
msvechla:fix/oauth-race-condition

Conversation

@msvechla
Copy link
Copy Markdown
Contributor

@msvechla msvechla commented Jan 20, 2026

Summary

Fix race condition where the OAuth callback arrives before the state is registered in pendingAuths map.

Fixes #9645

Problem

When using MCP servers with OAuth authentication (e.g., Keycloak), the OAuth flow fails with a CSRF error if the Identity Provider has an active SSO session:

No pending authentication for state: <state>

Root Cause

The current code flow is:

  1. open(authorizationUrl) - Opens browser
  2. McpOAuthCallback.waitForCallback(oauthState) - Registers callback handler

When the IdP has an active SSO session, the redirect back to the callback URL happens before step 2 completes. The callback handler receives the authorization code but can't find the state in pendingAuths, triggering the CSRF protection error.

Solution

Move waitForCallback() to before opening the browser:

// Register the callback BEFORE opening the browser to avoid race condition
const callbackPromise = McpOAuthCallback.waitForCallback(oauthState)

// Now open browser - even if redirect is instant, we're ready
await open(authorizationUrl)

// Wait for the already-registered promise
const code = await callbackPromise

Testing

  • Tested with Keycloak IdP that has active SSO session (fast redirect)
  • Tested with fresh authentication flow (slow redirect with user interaction)
  • Both scenarios now work correctly

@msvechla
fix(mcp): register OAuth callback before opening browser
ac9a92d 
Fix race condition where the OAuth callback arrives before the state
is registered in pendingAuths map. This happens when the IdP has an
active SSO session and redirects immediately back to the callback URL.

The fix moves waitForCallback() to BEFORE opening the browser, ensuring
the callback handler is ready to receive the authorization code even if
the redirect happens instantly.

Symptoms before fix:
- CSRF error 'No pending authentication for state: ...'
- Only occurs with active SSO sessions (fast redirects)
- Works fine when user has to manually authenticate (slow redirects)

Fixes anomalyco#9645
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 20, 2026

The following comment was made by an LLM, it may be inaccurate:

No duplicate PRs found

@rekram1-node
Copy link
Copy Markdown
Collaborator

rekram1-node commented Jan 20, 2026

/review

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 20, 2026

lgtm

@rekram1-node rekram1-node merged commit 8f62d4a into anomalyco:dev Jan 20, 2026
4 checks passed
@adolago adolago mentioned this pull request Feb 14, 2026
Closed
3 tasks
xywsxp pushed a commit to xywsxp/opencode that referenced this pull request Apr 24, 2026
@msvechla
fix(mcp): register OAuth callback before opening browser (anomalyco#9646
5f41229 
)
Rwanbt pushed a commit to Rwanbt/opencode that referenced this pull request May 5, 2026
@msvechla
fix(mcp): register OAuth callback before opening browser (anomalyco#9646
5f8a227 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth state validation race condition with fast identity provider redirects

2 participants

@msvechla @rekram1-node