From 58365da6b45ff3563e4dc239df2fa6cecd6000e1 Mon Sep 17 00:00:00 2001
From: Olivier Gintrand <olivier.gintrand@forterro.com>
Date: Tue, 14 Apr 2026 16:55:57 +0200
Subject: [PATCH] fix(oauth): preserve OAuth client_secret when editing
 gateways and A2A agents

Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>
---
 mcpgateway/admin.py              | 14 ++++++++++----
 mcpgateway/admin_ui/a2aAgents.js |  2 +-
 mcpgateway/admin_ui/gateways.js  |  2 +-
 mcpgateway/admin_ui/servers.js   | 11 +++++++++++
 4 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/mcpgateway/admin.py b/mcpgateway/admin.py
index c513761494..a8dd79c046 100644
--- a/mcpgateway/admin.py
+++ b/mcpgateway/admin.py
@@ -12394,10 +12394,13 @@ async def admin_edit_gateway(
                     oauth_config["redirect_uri"] = oauth_redirect_uri
                 if oauth_client_id:
                     oauth_config["client_id"] = oauth_client_id
-                if oauth_client_secret:
-                    # Encrypt the client secret
+                if oauth_client_secret and oauth_client_secret != settings.masked_auth_value:
+                    # Encrypt the new client secret
                     encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = await encryption.encrypt_secret_async(oauth_client_secret)
+                elif oauth_client_id:
+                    # client_id present but secret left blank or masked — preserve existing secret
+                    oauth_config["client_secret"] = settings.masked_auth_value
 
                 # Add username and password for password grant type
                 if oauth_username:
@@ -15719,10 +15722,13 @@ async def admin_edit_a2a_agent(
                     oauth_config["redirect_uri"] = oauth_redirect_uri
                 if oauth_client_id:
                     oauth_config["client_id"] = oauth_client_id
-                if oauth_client_secret:
-                    # Encrypt the client secret
+                if oauth_client_secret and oauth_client_secret != settings.masked_auth_value:
+                    # Encrypt the new client secret
                     encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = await encryption.encrypt_secret_async(oauth_client_secret)
+                elif oauth_client_id:
+                    # client_id present but secret left blank or masked — preserve existing secret
+                    oauth_config["client_secret"] = settings.masked_auth_value
 
                 # Add username and password for password grant type
                 if oauth_username:
diff --git a/mcpgateway/admin_ui/a2aAgents.js b/mcpgateway/admin_ui/a2aAgents.js
index 8fda0d22dd..38325b6a66 100644
--- a/mcpgateway/admin_ui/a2aAgents.js
+++ b/mcpgateway/admin_ui/a2aAgents.js
@@ -513,7 +513,7 @@ export const editA2AAgent = async function (agentId) {
             oauthClientIdField.value = config.client_id || "";
           }
           if (oauthClientSecretField) {
-            oauthClientSecretField.value = ""; // Don't populate secret for security
+            oauthClientSecretField.value = config.client_secret ? MASKED_AUTH_VALUE : "";
           }
           if (oauthTokenUrlField) {
             oauthTokenUrlField.value = config.token_url || "";
diff --git a/mcpgateway/admin_ui/gateways.js b/mcpgateway/admin_ui/gateways.js
index c8028dcf6e..8733294a73 100644
--- a/mcpgateway/admin_ui/gateways.js
+++ b/mcpgateway/admin_ui/gateways.js
@@ -510,7 +510,7 @@ export const editGateway = async function (gatewayId) {
             oauthClientIdField.value = config.client_id || "";
           }
           if (oauthClientSecretField) {
-            oauthClientSecretField.value = ""; // Don't populate secret for security
+            oauthClientSecretField.value = config.client_secret ? MASKED_AUTH_VALUE : "";
           }
           if (oauthTokenUrlField) {
             oauthTokenUrlField.value = config.token_url || "";
diff --git a/mcpgateway/admin_ui/servers.js b/mcpgateway/admin_ui/servers.js
index da68d440e8..0cea2dbdbe 100644
--- a/mcpgateway/admin_ui/servers.js
+++ b/mcpgateway/admin_ui/servers.js
@@ -1,5 +1,6 @@
 import { AppState } from "./appState.js";
 import { getCatalogUrl } from "./configExport.js";
+import { MASKED_AUTH_VALUE } from "./constants.js";
 import { toggleViewPublic } from "./filters.js";
 import { initGatewaySelect } from "./gateways.js";
 import { openModal } from "./modals.js";
@@ -857,6 +858,16 @@ export const editServer = async function (serverId) {
       if (oauthTokenEndpointField) {
         oauthTokenEndpointField.value = server.oauthConfig.token_endpoint || "";
       }
+
+      // Extract client_id for DCR bypass (pre-registered client)
+      const oauthClientIdField = safeGetElement("edit-server-oauth-client-id");
+      if (oauthClientIdField) {
+        oauthClientIdField.value = server.oauthConfig.client_id || "";
+      }
+      const oauthClientSecretField = safeGetElement("edit-server-oauth-client-secret");
+      if (oauthClientSecretField) {
+        oauthClientSecretField.value = server.oauthConfig.client_secret ? MASKED_AUTH_VALUE : "";
+      }
     } else {
       // Clear OAuth config fields when no config exists
       if (oauthAuthServerField) oauthAuthServerField.value = "";