Document callbackPath requirement for MCP OAuth security (agents#868)#28198
Closed
agents-git-bot[bot] wants to merge 2 commits into
Closed
Document callbackPath requirement for MCP OAuth security (agents#868)#28198agents-git-bot[bot] wants to merge 2 commits into
agents-git-bot[bot] wants to merge 2 commits into
Conversation
Update MCP client API documentation to reflect new security requirements from agents PR #868: - Clarify that callbackPath is required when sendIdentityOnConnect is false - Document that addMcpServer() throws an error without callbackPath - Explain the enhanced callback matching logic (state param + origin/pathname verification) - Add details about callbackPath format requirements (plain path, no query strings) Related to: cloudflare/agents#868 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
agents-git-bot
Bot
requested review from
elithrar,
irvinebroque,
rita3ko,
thomasgauvin,
threepointone and
whoiskatrin
as code owners
February 8, 2026 23:05
Contributor
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
Update MCP client API documentation to reflect the new security requirement that callbackPath must be provided when sendIdentityOnConnect is false. Changes: - Emphasize that callbackPath is REQUIRED (not optional) when sendIdentityOnConnect is false - Add error behavior information (throws if callbackPath is missing) - Update callback matching explanation (state parameter + origin/pathname verification) - Add example callback URL format for custom callbackPath - Clarify security implications (OAuth provider, browser history, address bar) Related to cloudflare/agents#868 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
Author
|
Updated documentation with more comprehensive explanation of the security issue and callback matching mechanism. Changes:
|
Contributor
|
Preview URL: https://01029365.preview.developers.cloudflare.com Files with changes (up to 15) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates MCP client API documentation to reflect security improvements from cloudflare/agents#868.
Changes
callbackPathis now required whensendIdentityOnConnectisfalse, and thataddMcpServer()will throw an error if not providedstatequery parameter plus origin/pathname verification for defense-in-depthcallbackPathformat requirements (should be a plain path without query strings or fragments)Context
When using
sendIdentityOnConnect: falseto protect sensitive instance names (like session IDs or user IDs), the default OAuth callback URL would expose the instance name in the path. This PR documents the new requirement to provide a customcallbackPaththat prevents this security issue.Related PR
🤖 Generated with Claude Code