feat(oauth): use asExternalUrl to get the correct callback

Author: JonZeolla

CONTRIBUTING.md

@@ -60,7 +60,6 @@ Continue is quickly adding features, and we'd love to hear which are the most im
 an enhancement are:
 
 - Create an issue
-
   - First, check whether a similar proposal has already been made
   - If not, [create an issue](https://github.com/continuedev/continue/issues)
   - Please describe the enhancement in as much detail as you can, and why it would be useful
@@ -146,7 +145,6 @@ npm i -g vite
    `install-all-dependencies`
 
 2. Start debugging:
-
    1. Switch to Run and Debug view
    2. Select `Launch extension` from drop down
    3. Hit play button

binary/package-lock.json

@@ -692,6 +692,8 @@ declare global {
   
     openUrl(url: string): Promise<void>;
   
+    getExternalUri?(uri: string): Promise<string>;
+  
     runCommand(command: string): Promise<void>;
   
     saveFile(filepath: string): Promise<void>;

core/config/types.ts

@@ -12,65 +12,121 @@ import { IDE, MCPServerStatus, SSEOptions } from "../..";
 
 import http from "http";
 import url from "url";
+import crypto from "crypto";
 import { GlobalContext, GlobalContextType } from "../../util/GlobalContext";
 
-let authenticatingMCPContext = null as {
-  authenticatingServer: MCPServerStatus;
-  ide: IDE;
-} | null;
+// Use a Map to support concurrent authentications for different servers
+const authenticatingContexts = new Map<
+  string,
+  {
+    authenticatingServer: MCPServerStatus;
+    ide: IDE;
+    state?: string;
+  }
+>();
+
+// Map state parameters to server URLs for OAuth callback matching
+const stateToServerUrl = new Map<string, string>();
 
 const PORT = 3000;
 
-const server = http.createServer((req, res) => {
-  try {
-    if (!req.url) {
-      throw new Error("no url found");
-    }
+let serverInstance: http.Server | null = null;
 
-    const parsedUrl = url.parse(req.url, true);
-    if (!parsedUrl.query["code"]) {
-      throw new Error("no query params found");
-    }
+const createServerForOAuth = () =>
+  http.createServer((req, res) => {
+    try {
+      if (!req.url) {
+        throw new Error("no url found");
+      }
+
+      const parsedUrl = url.parse(req.url, true);
+      if (!parsedUrl.query["code"]) {
+        throw new Error("no query params found");
+      }
+
+      const code = parsedUrl.query["code"] as string;
+      const state = parsedUrl.query["state"] as string | undefined;
 
-    void handleMCPOauthCode(parsedUrl.query["code"] as string);
+      void handleMCPOauthCode(code, state);
 
-    const html = `
+      const html = `
 <!DOCTYPE html>
 <html>
 <head><title>Authentication Complete</title></head>
 <body>Authentication Complete. You can close this page now.</body>
 </html>`;
 
-    res.writeHead(200, {
-      "Content-Type": "text/html",
-    });
-    res.end(html);
-  } catch (error) {
-    res.writeHead(400, { "Content-Type": "text/plain" });
-    res.end(`Unexpected redirect error:  ${(error as Error).message}`);
-  }
-});
+      res.writeHead(200, {
+        "Content-Type": "text/html",
+      });
+      res.end(html);
+    } catch (error) {
+      res.writeHead(400, { "Content-Type": "text/plain" });
+      res.end(`Unexpected redirect error:  ${(error as Error).message}`);
+    }
+  });
 
 type MCPOauthStorage = GlobalContextType["mcpOauthStorage"][string];
 type MCPOauthStorageKey = keyof MCPOauthStorage;
 
 class MCPConnectionOauthProvider implements OAuthClientProvider {
   private globalContext: GlobalContext;
+  private _redirectUrl: string;
+  private _redirectUrlInitialized: Promise<void>;
 
   constructor(
     public oauthServerUrl: string,
     private ide: IDE,
   ) {
     this.globalContext = new GlobalContext();
+    // Set default redirect URL immediately for synchronous access
+    this._redirectUrl = `http://localhost:${PORT}`;
+    // Initialize actual redirect URL asynchronously
+    this._redirectUrlInitialized = this._initializeRedirectUrl();
+  }
+
+  private async _initializeRedirectUrl(): Promise<void> {
+    try {
+      // If IDE supports getExternalUri (VS Code extension), use it for dynamic redirect URI
+      if (this.ide.getExternalUri) {
+        const localUri = `http://localhost:${PORT}`;
+        const externalUri = await this.ide.getExternalUri(localUri);
+        this._redirectUrl = externalUri;
+      }
+      // Otherwise keep the default localhost URL
+    } catch (error) {
+      console.error("Failed to initialize redirect URL:", error);
+      // Keep default URL on error
+    }
   }
 
   get redirectUrl() {
-    return `http://localhost:${PORT}`; // TODO: this has to be a hub url or should we spin up a server?
+    // Always return a valid URL, even if initialization is pending
+    return this._redirectUrl;
+  }
+
+  getRedirectUrlWithState(state: string): string {
+    // Add state parameter to redirect URL
+    const urlObj = new URL(this._redirectUrl);
+    urlObj.searchParams.set("state", state);
+    return urlObj.toString();
+  }
+
+  async ensureRedirectUrl(): Promise<string> {
+    // Wait for initialization to complete before returning
+    await this._redirectUrlInitialized;
+    return this._redirectUrl;
   }
 
   get clientMetadata() {
+    // Generate state parameter if needed
+    const state = authenticatingContexts.get(this.oauthServerUrl)?.state;
+    const redirectUri = state
+      ? this.getRedirectUrlWithState(state)
+      : this.redirectUrl;
+
     return {
-      redirect_uris: [this.redirectUrl],
+      redirect_uris: [redirectUri],
       token_endpoint_auth_method: "none",
       grant_types: ["authorization_code", "refresh_token"],
       response_types: ["code"],
@@ -151,14 +207,28 @@ class MCPConnectionOauthProvider implements OAuthClientProvider {
   }
 
   async redirectToAuthorization(authorizationUrl: URL) {
-    if (!server.listening) {
-      server.listen(PORT, () => {
-        console.debug(
-          `Server started for MCP Oauth process at http://localhost:${PORT}/`,
-        );
-      });
+    // Ensure redirect URL is initialized before proceeding
+    await this.ensureRedirectUrl();
+
+    // Only create and start local server if using localhost redirect
+    // For web-based VS Code, the redirect will be handled by VS Code's built-in mechanism
+    if (!this.ide.getExternalUri || this._redirectUrl.includes("localhost")) {
+      if (!serverInstance) {
+        serverInstance = createServerForOAuth();
+      }
+      if (!serverInstance.listening) {
+        await new Promise<void>((resolve, reject) => {
+          serverInstance!.listen(PORT, () => {
+            console.debug(
+              `Server started for MCP Oauth process at http://localhost:${PORT}/`,
+            );
+            resolve();
+          });
+          serverInstance!.on("error", reject);
+        });
+      }
     }
-    void this.ide.openUrl(authorizationUrl.toString());
+    await this.ide.openUrl(authorizationUrl.toString());
   }
 }
 
@@ -175,49 +245,109 @@ export async function getOauthToken(mcpServerUrl: string, ide: IDE) {
 export async function performAuth(mcpServer: MCPServerStatus, ide: IDE) {
   const mcpServerUrl = (mcpServer.transport as SSEOptions).url;
   const authProvider = new MCPConnectionOauthProvider(mcpServerUrl, ide);
-  authenticatingMCPContext = {
+  // Ensure redirect URL is ready before starting auth
+  await authProvider.ensureRedirectUrl();
+
+  // Generate a unique state parameter for this auth flow
+  const state = crypto.randomUUID();
+
+  // Store context for this specific server with state
+  authenticatingContexts.set(mcpServerUrl, {
     authenticatingServer: mcpServer,
     ide,
-  };
-  return await auth(authProvider, {
-    serverUrl: mcpServerUrl,
+    state,
   });
+
+  // Map state to server URL for callback matching
+  stateToServerUrl.set(state, mcpServerUrl);
+
+  try {
+    return await auth(authProvider, {
+      serverUrl: mcpServerUrl,
+    });
+  } catch (error) {
+    // Clean up on error
+    authenticatingContexts.delete(mcpServerUrl);
+    stateToServerUrl.delete(state);
+    throw error;
+  }
 }
 
 /**
  * handle the authentication code received from the oauth redirect
  */
-async function handleMCPOauthCode(authorizationCode: string) {
-  if (!authenticatingMCPContext) {
-    return;
-  }
-  const { ide, authenticatingServer } = authenticatingMCPContext;
-  const serverUrl = (authenticatingServer.transport as SSEOptions).url;
+async function handleMCPOauthCode(authorizationCode: string, state?: string) {
+  let serverUrl: string | undefined;
+  let context:
+    | { authenticatingServer: MCPServerStatus; ide: IDE; state?: string }
+    | undefined;
 
-  if (!serverUrl) {
-    void ide.showToast("error", "No MCP server url found for authentication");
-    return;
+  if (state) {
+    // Use state parameter to find the correct server
+    serverUrl = stateToServerUrl.get(state);
+    if (serverUrl) {
+      context = authenticatingContexts.get(serverUrl);
+    }
+  } else {
+    // Fallback: if no state or single context, use the first one
+    const contexts = Array.from(authenticatingContexts.entries());
+    if (contexts.length === 1) {
+      [serverUrl, context] = contexts[0];
+    }
   }
-  if (!authorizationCode) {
-    void ide.showToast(
-      "error",
-      `No MCP authorization code found for ${serverUrl}`,
-    );
+
+  if (!context || !serverUrl) {
+    console.error("No matching authenticating context found for state:", state);
     return;
   }
-  server.close(() => console.debug("Server for MCP Oauth process was closed"));
-  const authProvider = new MCPConnectionOauthProvider(serverUrl, ide);
-  const authStatus = await auth(authProvider, {
-    serverUrl,
-    authorizationCode,
-  });
-  if (authStatus === "AUTHORIZED") {
-    const { MCPManagerSingleton } = await import("./MCPManagerSingleton"); // put dynamic import to avoid cyclic imports
-    await MCPManagerSingleton.getInstance().refreshConnection(
-      authenticatingServer.id,
-    );
+
+  const { ide, authenticatingServer } = context;
+
+  try {
+    if (!serverUrl) {
+      throw new Error("No MCP server url found for authentication");
+    }
+    if (!authorizationCode) {
+      throw new Error(`No MCP authorization code found for ${serverUrl}`);
+    }
+
+    // Close the server before processing auth
+    if (serverInstance) {
+      await new Promise<void>((resolve) => {
+        serverInstance!.close(() => {
+          console.debug("Server for MCP Oauth process was closed");
+          serverInstance = null;
+          resolve();
+        });
+      });
+    }
+
+    const authProvider = new MCPConnectionOauthProvider(serverUrl, ide);
+    await authProvider.ensureRedirectUrl();
+    const authStatus = await auth(authProvider, {
+      serverUrl,
+      authorizationCode,
+    });
+
+    if (authStatus === "AUTHORIZED") {
+      const { MCPManagerSingleton } = await import("./MCPManagerSingleton"); // put dynamic import to avoid cyclic imports
+      await MCPManagerSingleton.getInstance().refreshConnection(
+        authenticatingServer.id,
+      );
+    }
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : String(error);
+    console.error("OAuth authorization failed:", errorMessage);
+    if (context?.ide) {
+      await context.ide.showToast("error", `OAuth failed: ${errorMessage}`);
+    }
+  } finally {
+    // Always clean up the context and state mapping
+    authenticatingContexts.delete(serverUrl);
+    if (state) {
+      stateToServerUrl.delete(state);
+    }
   }
-  authenticatingMCPContext = null;
 }
 
 export function removeMCPAuth(mcpServer: MCPServerStatus, ide: IDE) {