feat: Add OAuth 2.0 Authentication Support in Edit Gateway

Signed-off-by: Shamsul Arefin <[email protected]>

Author: Shamsul Arefin

mcpgateway/admin.py

@@ -2914,6 +2914,20 @@ async def admin_edit_gateway(
         else:
             passthrough_headers = None
 
+        # Parse OAuth configuration if present
+        oauth_config_json = str(form.get("oauth_config"))
+        oauth_config: Optional[dict[str, Any]] = None
+        if oauth_config_json and oauth_config_json != "None":
+            try:
+                oauth_config = json.loads(oauth_config_json)
+                # Encrypt the client secret if present and not empty
+                if oauth_config and "client_secret" in oauth_config and oauth_config["client_secret"]:
+                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    oauth_config["client_secret"] = encryption.encrypt_secret(oauth_config["client_secret"])
+            except (json.JSONDecodeError, ValueError) as e:
+                LOGGER.error(f"Failed to parse OAuth config: {e}")
+                oauth_config = None
+
         gateway = GatewayUpdate(  # Pydantic validation happens here
             name=str(form.get("name")),
             url=str(form["url"]),
@@ -2929,6 +2943,7 @@ async def admin_edit_gateway(
             auth_value=str(form.get("auth_value", "")),
             auth_headers=auth_headers if auth_headers else None,
             passthrough_headers=passthrough_headers,
+            oauth_config=oauth_config,
         )
         await gateway_service.update_gateway(db, gateway_id, gateway)
         return JSONResponse(

mcpgateway/schemas.py

@@ -2138,6 +2138,10 @@ class GatewayUpdate(BaseModelWithConfigDict):
 
     # Adding `auth_value` as an alias for better access post-validation
     auth_value: Optional[str] = Field(None, validate_default=True)
+
+    # OAuth 2.0 configuration
+    oauth_config: Optional[Dict[str, Any]] = Field(None, description="OAuth 2.0 configuration including grant_type, client_id, encrypted client_secret, URLs, and scopes")
+
     tags: Optional[List[str]] = Field(None, description="Tags for categorizing the gateway")
 
     @field_validator("tags")

mcpgateway/services/gateway_service.py

@@ -804,6 +804,10 @@ async def update_gateway(self, db: Session, gateway_id: str, gateway_update: Gat
                         gateway.auth_value = ""
 
                     # if auth_type is not None and only then check auth_value
+                # Handle OAuth configuration updates
+                if gateway_update.oauth_config is not None:
+                    gateway.oauth_config = gateway_update.oauth_config
+
                 if getattr(gateway, "auth_value", "") != "":
                     token = gateway_update.auth_token
                     password = gateway_update.auth_password

mcpgateway/static/admin.js

@@ -3183,6 +3183,7 @@ async function editGateway(gatewayId) {
         const authHeadersSection = safeGetElement(
             "auth-headers-fields-gw-edit",
         );
+        const authOAuthSection = safeGetElement("auth-oauth-fields-gw-edit");
 
         // Individual fields
         const authUsernameField = safeGetElement(
@@ -3203,6 +3204,16 @@ async function editGateway(gatewayId) {
             "auth-headers-fields-gw-edit",
         )?.querySelector("input[name='auth_header_value']");
 
+        // OAuth fields
+        const oauthGrantTypeField = safeGetElement("oauth-grant-type-gw-edit");
+        const oauthClientIdField = safeGetElement("oauth-client-id-gw-edit");
+        const oauthClientSecretField = safeGetElement("oauth-client-secret-gw-edit");
+        const oauthTokenUrlField = safeGetElement("oauth-token-url-gw-edit");
+        const oauthAuthUrlField = safeGetElement("oauth-authorization-url-gw-edit");
+        const oauthRedirectUriField = safeGetElement("oauth-redirect-uri-gw-edit");
+        const oauthScopesField = safeGetElement("oauth-scopes-gw-edit");
+        const oauthAuthCodeFields = safeGetElement("oauth-auth-code-fields-gw-edit");
+
         // Hide all auth sections first
         if (authBasicSection) {
             authBasicSection.style.display = "none";
@@ -3213,6 +3224,9 @@ async function editGateway(gatewayId) {
         if (authHeadersSection) {
             authHeadersSection.style.display = "none";
         }
+        if (authOAuthSection) {
+            authOAuthSection.style.display = "none";
+        }
 
         switch (gateway.authType) {
             case "basic":
@@ -3245,6 +3259,41 @@ async function editGateway(gatewayId) {
                     }
                 }
                 break;
+            case "oauth":
+                if (authOAuthSection) {
+                    authOAuthSection.style.display = "block";
+                }
+                // Populate OAuth fields if available
+                if (gateway.oauthConfig) {
+                    const config = gateway.oauthConfig;
+                    if (oauthGrantTypeField && config.grant_type) {
+                        oauthGrantTypeField.value = config.grant_type;
+                        // Show/hide authorization code fields based on grant type
+                        if (oauthAuthCodeFields) {
+                            oauthAuthCodeFields.style.display =
+                                config.grant_type === "authorization_code" ? "block" : "none";
+                        }
+                    }
+                    if (oauthClientIdField && config.client_id) {
+                        oauthClientIdField.value = config.client_id;
+                    }
+                    if (oauthClientSecretField) {
+                        oauthClientSecretField.value = ""; // Don't populate secret for security
+                    }
+                    if (oauthTokenUrlField && config.token_url) {
+                        oauthTokenUrlField.value = config.token_url;
+                    }
+                    if (oauthAuthUrlField && config.authorization_url) {
+                        oauthAuthUrlField.value = config.authorization_url;
+                    }
+                    if (oauthRedirectUriField && config.redirect_uri) {
+                        oauthRedirectUriField.value = config.redirect_uri;
+                    }
+                    if (oauthScopesField && config.scopes && Array.isArray(config.scopes)) {
+                        oauthScopesField.value = config.scopes.join(" ");
+                    }
+                }
+                break;
             case "":
             default:
                 // No auth – keep everything hidden
@@ -3658,6 +3707,7 @@ function handleAuthTypeSelection(
     basicFields,
     bearerFields,
     headersFields,
+    oauthFields,
 ) {
     if (!basicFields || !bearerFields || !headersFields) {
         console.warn("Auth field elements not found");
@@ -3666,30 +3716,40 @@ function handleAuthTypeSelection(
 
     // Hide all fields first
     [basicFields, bearerFields, headersFields].forEach((field) => {
-        field.style.display = "none";
+        if (field) field.style.display = "none";
     });
 
+    // Hide OAuth fields if they exist
+    if (oauthFields) {
+        oauthFields.style.display = "none";
+    }
+
     // Show relevant field based on selection
     switch (value) {
         case "basic":
-            basicFields.style.display = "block";
+            if (basicFields) basicFields.style.display = "block";
             break;
         case "bearer":
-            bearerFields.style.display = "block";
+            if (bearerFields) bearerFields.style.display = "block";
             break;
         case "authheaders": {
-            headersFields.style.display = "block";
-            // Ensure at least one header row is present
-            const containerId =
-                headersFields.querySelector('[id$="-container"]')?.id;
-            if (containerId) {
-                const container = document.getElementById(containerId);
-                if (container && container.children.length === 0) {
-                    addAuthHeader(containerId);
+            if (headersFields) {
+                headersFields.style.display = "block";
+                // Ensure at least one header row is present
+                const containerId =
+                    headersFields.querySelector('[id$="-container"]')?.id;
+                if (containerId) {
+                    const container = document.getElementById(containerId);
+                    if (container && container.children.length === 0) {
+                        addAuthHeader(containerId);
+                    }
                 }
             }
             break;
         }
+        case "oauth":
+            if (oauthFields) oauthFields.style.display = "block";
+            break;
         default:
             // All fields already hidden
             break;
@@ -6080,6 +6140,42 @@ async function handleEditGatewayFormSubmit(e) {
             JSON.stringify(passthroughHeaders),
         );
 
+        // Handle OAuth configuration
+        const authType = formData.get("auth_type");
+        if (authType === "oauth") {
+            const oauthConfig = {
+                grant_type: formData.get("oauth_grant_type"),
+                client_id: formData.get("oauth_client_id"),
+                client_secret: formData.get("oauth_client_secret"),
+                token_url: formData.get("oauth_token_url"),
+                scopes: formData.get("oauth_scopes")
+                    ? formData
+                          .get("oauth_scopes")
+                          .split(" ")
+                          .filter((s) => s.trim())
+                    : [],
+            };
+
+            // Add authorization code specific fields
+            if (oauthConfig.grant_type === "authorization_code") {
+                oauthConfig.authorization_url = formData.get(
+                    "oauth_authorization_url",
+                );
+                oauthConfig.redirect_uri = formData.get("oauth_redirect_uri");
+            }
+
+            // Remove individual OAuth fields and add as oauth_config
+            formData.delete("oauth_grant_type");
+            formData.delete("oauth_client_id");
+            formData.delete("oauth_client_secret");
+            formData.delete("oauth_token_url");
+            formData.delete("oauth_scopes");
+            formData.delete("oauth_authorization_url");
+            formData.delete("oauth_redirect_uri");
+
+            formData.append("oauth_config", JSON.stringify(oauthConfig));
+        }
+
         const isInactiveCheckedBool = isInactiveChecked("gateways");
         formData.append("is_inactive_checked", isInactiveCheckedBool);
         // Submit via fetch
@@ -6697,6 +6793,7 @@ function setupAuthenticationToggles() {
             basicId: "auth-basic-fields-gw-edit",
             bearerId: "auth-bearer-fields-gw-edit",
             headersId: "auth-headers-fields-gw-edit",
+            oauthId: "auth-oauth-fields-gw-edit",
         },
         {
             id: "edit-auth-type",
@@ -6765,6 +6862,15 @@ function setupFormHandlers() {
         });
     }
 
+    // Add OAuth grant type change handler for Edit Gateway modal
+    const editOAuthGrantTypeField = safeGetElement("oauth-grant-type-gw-edit");
+    if (editOAuthGrantTypeField) {
+        editOAuthGrantTypeField.addEventListener(
+            "change",
+            handleEditOAuthGrantTypeChange,
+        );
+    }
+
     const toolForm = safeGetElement("add-tool-form");
     if (toolForm) {
         toolForm.addEventListener("submit", handleToolFormSubmit);
@@ -6907,6 +7013,38 @@ function handleOAuthGrantTypeChange() {
     }
 }
 
+function handleEditOAuthGrantTypeChange() {
+    const grantType = this.value;
+    const authCodeFields = safeGetElement("oauth-auth-code-fields-gw-edit");
+
+    if (authCodeFields) {
+        if (grantType === "authorization_code") {
+            authCodeFields.style.display = "block";
+
+            // Make authorization code specific fields required
+            const requiredFields =
+                authCodeFields.querySelectorAll('input[type="url"]');
+            requiredFields.forEach((field) => {
+                field.required = true;
+            });
+
+            // Show additional validation for required fields
+            console.log(
+                "Authorization Code flow selected - additional fields are now required",
+            );
+        } else {
+            authCodeFields.style.display = "none";
+
+            // Remove required validation for hidden fields
+            const requiredFields =
+                authCodeFields.querySelectorAll('input[type="url"]');
+            requiredFields.forEach((field) => {
+                field.required = false;
+            });
+        }
+    }
+}
+
 function setupSchemaModeHandlers() {
     const schemaModeRadios = document.getElementsByName("schema_input_mode");
     const uiBuilderDiv = safeGetElement("ui-builder");