fix: add OAuth client support to MCP manager (#2607)

ashishrp-aws · web-flow · commit 81c1e089750e · 2026-02-05T11:12:43.000-08:00
diff --git a/server/aws-lsp-codewhisperer/src/language-server/agenticChat/tools/mcp/mcpManager.ts b/server/aws-lsp-codewhisperer/src/language-server/agenticChat/tools/mcp/mcpManager.ts
@@ -518,7 +518,21 @@ export class McpManager {
                         try {
                             const headResp = await fetch(base, { method: 'HEAD', headers })
                             const www = headResp.headers.get('www-authenticate') || ''
-                            needsOAuth = headResp.status === 401 || headResp.status === 403 || /bearer/i.test(www)
+                            this.features.logging.info(`MCP: HEAD response status: ${headResp.status}`)
+
+                            if (headResp.status === 401 || headResp.status === 403 || /bearer/i.test(www)) {
+                                needsOAuth = true
+                                this.features.logging.info(`MCP: OAuth detected via HEAD (${headResp.status})`)
+                            } else if (headResp.status === 405 || headResp.status === 404) {
+                                // HEAD not supported (405) or endpoint not found for HEAD (404), try POST-based OAuth detection
+                                this.features.logging.info(
+                                    `MCP: HEAD returned ${headResp.status}, trying POST-based OAuth detection`
+                                )
+                                needsOAuth = await this.detectOAuthFromPostError(base, headers)
+                                if (needsOAuth) {
+                                    this.features.logging.info(`MCP: OAuth detected via POST error`)
+                                }
+                            }
                         } catch {
                             this.features.logging.info(`MCP: HEAD not available`)
                         }
@@ -1489,6 +1503,30 @@ export class McpManager {
         return Array.from(serverNames)
     }
 
+    /**
+     * Detect OAuth requirement from POST error response
+     * Used when HEAD method returns 405 (Method Not Allowed)
+     */
+    private async detectOAuthFromPostError(url: URL, headers: Record<string, string>): Promise<boolean> {
+        try {
+            const testPayload = { jsonrpc: '2.0', method: 'initialize', id: 1 }
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: { ...headers, 'Content-Type': 'application/json' },
+                body: JSON.stringify(testPayload),
+            })
+
+            if (response.status === 401) {
+                const errorText = await response.text()
+                // Check for OAuth-related error messages
+                return /bearer|token|auth|missing.*auth/i.test(errorText)
+            }
+        } catch (e) {
+            // Ignore errors, assume no OAuth required
+        }
+        return false
+    }
+
     /**
      * Get all builtin tool names
      */
