Skip to content

fix: Add response_type + PKCE parameters to OAuth authorization endpoint #15720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 21, 2025
Merged

fix: Add response_type + PKCE parameters to OAuth authorization endpoint #15720

merged 2 commits into from
Oct 21, 2025

Conversation

@talalryz
Copy link
Contributor

@talalryz talalryz commented Oct 20, 2025
edited
Loading

What does this change do

Fixes OAuth 2.1 PKCE (Proof Key for Code Exchange) support in LiteLLM's MCP OAuth proxy.
Previously, the proxy did not forward PKCE parameters, causing OAuth flows with providers like
Google to fail when used with PKCE-compliant clients (such as Claude Code).

Changes Made

  1. Authorization endpoint (/authorize):

    • Added support for code_challenge and code_challenge_method query parameters
    • Forwards PKCE parameters to upstream OAuth providers
    • Stores PKCE parameters and client redirect_uri in encrypted session state

  2. Token endpoint (/token):

    • Added support for code_verifier form parameter
    • Forwards PKCE verifier to upstream OAuth provider for validation
    • Only includes non-null fields in token response to prevent validation errors

  3. State management:

    • Enhanced state encryption to store PKCE parameters and client redirect URIs
    • Maintains OAuth session data throughout the authorization flow

  4. Tests:

    • Added test_authorize_endpoint_forwards_pkce_parameters() to verify PKCE parameter forwarding
      in authorization
    • Added test_token_endpoint_forwards_code_verifier() to verify PKCE verifier forwarding in
      token exchange

Impact

  • ✅ Google MCP OAuth now works with PKCE-compliant clients
  • ✅ GitHub MCP OAuth continues to work (backward compatible)
  • ✅ Any OAuth 2.1 provider with PKCE is now supported
  • ✅ Non-PKCE OAuth flows remain unaffected

🤖 Generated with Claude Code

Relevant issues

Fixes #15684

Screenshot 2025-10-20 at 8 47 14 PM

Tested Locally -> screenshots

Step 1

Screenshot 2025-10-20 at 8 40 36 PM

Step 2

Screenshot 2025-10-20 at 8 40 52 PM

Step 3

Screenshot 2025-10-20 at 8 41 14 PM

Pre-Submission checklist

  • I have Added testing in the
    tests/litellm/ directory, Adding
    at least 1 test is a hard requirement     - see
    details
  • I have added a screenshot of my new test passing locally
  • My PR passes all unit tests on make test-unit
  • My PR's scope is as isolated as possible, it only solves 1 specific problem

Type

🐛 Bug Fix

@vercel
Copy link

vercel bot commented Oct 20, 2025

Someone is attempting to deploy a commit to the CLERKIEAI Team on Vercel.

A member of the Team first needs to authorize it.

@CLAassistant
Copy link

CLAassistant commented Oct 20, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

talalryz and others added 2 commits October 20, 2025 18:34
@talalryz @claude
fix: Add response_type parameter to OAuth authorization endpoint
e8cfbe9 
Fixes BerriAI#15684

OAuth providers like Google require the response_type parameter during
the authorization flow. This commit adds response_type=code to the
authorization redirect parameters, which is required by the OAuth 2.0
specification (RFC 6749 Section 4.1.1).

Changes:
- Added response_type=code to authorization params in discoverable_endpoints.py
- Added test coverage for the response_type parameter

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@talalryz
fix oauth flow by forwarding code_challenge and forwarding code_verifier
2e282de
@talalryz talalryz force-pushed the fix/add-response-type-oauth branch from 09290d3 to 2e282de Compare October 21, 2025 01:35
@talalryz talalryz changed the title fix: Add response_type parameter to OAuth authorization endpoint fix: Add response_type + PKCE parameters to OAuth authorization endpoint Oct 21, 2025
@talalryz
Copy link
Contributor Author

cc: @mubashir1osmani @krrishdholakia @ishaan-jaff please take a look

@krrishdholakia krrishdholakia merged commit 46d55bd into BerriAI:main Oct 21, 2025
4 of 6 checks passed
@krrishdholakia
Copy link
Contributor

LGTM! Thank you for the fix @talalryz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: response_type + PKCE params not set - MCP OAuth

3 participants

@talalryz @CLAassistant @krrishdholakia