Skip to content

Add MCP OAuth device flow for protected namespaces#4

Draft
Copilot wants to merge 13 commits intoclient-mcpfrom
copilot/fix-verification-link-prompt
Draft

Add MCP OAuth device flow for protected namespaces#4
Copilot wants to merge 13 commits intoclient-mcpfrom
copilot/fix-verification-link-prompt

Conversation

Copy link

Copilot AI commented Feb 3, 2026
edited
Loading

MCP server couldn't access protected namespaces: no TTY for browser OAuth, MCP clients timeout at ~60s, and token iterator doesn't discover tokens saved to OSDF config.

OAuth2 Device Flow (oauth2/oauth2.go)

  • InitiateDeviceAuth() — returns verification URL without blocking
  • PollDeviceAuth() — polls with context cancellation support
  • DeviceAuthInfo struct holds flow state between calls

Client Wrappers (client/acquire_token.go)

  • InitiateDeviceAuth() — federation discovery + client registration
  • CompleteDeviceAuth() — returns (token, namespace, error) for cache keying

MCP Server State (mcp/server.go)

  • pendingAuths map for in-flight auth state
  • cachedTokens map keyed by namespace prefix
  • getTokenForURL() matches URLs to cached tokens via path prefix
  • Sets PELICAN_SKIP_TERMINAL_CHECK=true on init

MCP Tools (mcp/tools.go)

  • pelican_auth — initiates device flow, returns verification URL immediately
  • pelican_auth_complete — polls (45s timeout), caches token by namespace
  • handleDownload/Stat/List — auto-inject cached tokens
  • pelican_download — updated description to require user-provided destination

Example Flow

User: List pelican://osg-htc.org/osdf-tutorial/protected

AI: [pelican_auth]
🔐 Visit: https://cilogon.org/device?user_code=ABCD-1234

User: Done.

AI: [pelican_auth_complete]
✅ Token cached for /osdf-tutorial/protected

AI: [pelican_list] → uses cached token → success

Note: The verification link validity (typically 15 min) is server-driven via the OAuth expires_in response field, not hardcoded.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI assigned Copilot and h2zh Feb 3, 2026
Copilot AI and others added 3 commits February 3, 2026 19:41
@h2zh
Add pelican_auth tool for MCP to support protected namespaces
48ac077 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
@h2zh
Address code review: fix variable naming and add detailed comments
4224cec 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
@h2zh
Address code review: remove token display and add bounds checking
ed8a543 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix limitation for verification link prompt in protected namespace Add pelican_auth MCP tool for protected namespace authentication Feb 3, 2026
Copilot AI requested a review from h2zh February 3, 2026 19:49
Copilot AI and others added 2 commits February 3, 2026 22:18
@h2zh
Fix MCP server timeout issue: improve logging and use stable protocol…
70cfda2 
… version

Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
@h2zh
Address code review: extract Flusher interface to avoid duplication
b142c52 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Copilot AI changed the title Add pelican_auth MCP tool for protected namespace authentication Add pelican_auth MCP tool for protected namespaces and fix server timeout Feb 3, 2026
@h2zh
Fix MCP pelican_auth: enable federation discovery for URL parsing
15939c1 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Copilot AI changed the title Add pelican_auth MCP tool for protected namespaces and fix server timeout Add MCP pelican_auth tool for protected namespace authentication Feb 3, 2026
@h2zh
Improve MCP pelican_auth: handle encrypted configs and add timeout
8e1d82c 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
@h2zh
Split pelican_auth into two-step flow to work with MCP timeout
e482eb4 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Copilot AI changed the title Add MCP pelican_auth tool for protected namespace authentication Add MCP tools for protected namespace authentication via OAuth device flow Feb 3, 2026
@h2zh
Use server's ExpiresIn for auth timeout instead of hardcoded 3 minutes
7491c4d 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
@h2zh
Change default auth expiry fallback to 1 minute
324a616 
Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Copilot AI changed the title Add MCP tools for protected namespace authentication via OAuth device flow Add MCP authentication tools for protected namespaces via OAuth device flow Feb 3, 2026
@h2zh
Fix MCP token caching: store authenticated tokens in memory for subse…
87aecd3 
…quent operations

Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Copilot AI changed the title Add MCP authentication tools for protected namespaces via OAuth device flow Add MCP OAuth device flow for protected namespaces Feb 4, 2026
@h2zh
mcp: Improve pelican_download to require user-provided destination
e1b6323 
Update the tool description to explicitly instruct AI assistants to
ask users for a destination directory before downloading. This prevents
the LLM from guessing paths that may have permission issues.

Changes:
- Updated tool description to emphasize asking users for destination
- Updated destination parameter description with prompt suggestion

Co-authored-by: h2zh <61568048+h2zh@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h2zh h2zh Awaiting requested review from h2zh

Assignees

@h2zh h2zh

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@h2zh