modelcontextprotocol · geelen · Jul 24, 2025 · Jul 23, 2025 · Jul 24, 2025
diff --git a/examples/servers/cf-agents/src/index.ts b/examples/servers/cf-agents/src/index.ts
@@ -155,7 +155,53 @@ const app = new Hono<{
 
 app.get('/authorize', async (c) => {
   const oauthReqInfo = await c.env.OAUTH_PROVIDER.parseAuthRequest(c.req.raw)
+  const url = new URL(c.req.url)
+
+  const approveHref = url.toString()
+  return c.html(/*html*/ `
+    <!doctype html>
+    <meta charset="utf-8">
+    <title>Authorize access</title>
+    <style>
+      body{font-family:system-ui;margin:2rem;text-align:center;background:#f5f5f5}
+      .container{max-width:400px;margin:0 auto;background:white;padding:2rem;border-radius:8px;box-shadow:0 2px 10px rgba(0,0,0,0.1)}
+      h2{margin-bottom:1rem;color:#333}
+      button{padding:.8rem 1.5rem;margin:.5rem;font-size:1rem;border:none;border-radius:4px;cursor:pointer}
+      .approve{background:#007bff;color:white}
+      .approve:hover{background:#0056b3}
+      .deny{background:#6c757d;color:white}
+      .deny:hover{background:#545b62}
+      .client-name{background:#e9ecef;padding:.5rem;border-radius:4px;font-family:monospace}
+      .user-info{opacity:.6;font-size:.9rem;margin-top:1rem}
+    </style>
+    <div class="container">
+      <h2>Authorize access</h2>
+      <p>Allow <span class="client-name">Unknown client</span> to access your calculator?</p>
+      <div>
+        <form method="POST" action="${approveHref}" style="display:inline">
+          <input type="hidden" name="oauthReqInfo" value='${encodeURIComponent(JSON.stringify(oauthReqInfo))}'>
+          <button type="submit" class="approve">Approve</button>
+        </form>
+        <button class="deny" onclick="window.close()">Deny</button>
+      </div>
+      <p class="user-info">User: example@dotcom.com</p>
+    </div>
+  `)
+})
+
+app.post('/authorize', async (c) => {
   const email = 'example@dotcom.com'
+  const formData = await c.req.formData()
+  const oauthReqInfoRaw = formData.get('oauthReqInfo')
+  if (!oauthReqInfoRaw || typeof oauthReqInfoRaw !== 'string') {
+    return c.text('Missing oauthReqInfo', 400)
+  }
+  let oauthReqInfo
+  try {
+    oauthReqInfo = JSON.parse(decodeURIComponent(oauthReqInfoRaw))
+  } catch (e) {
+    return c.text('Invalid oauthReqInfo', 400)
+  }
   const { redirectTo } = await c.env.OAUTH_PROVIDER.completeAuthorization({
     request: oauthReqInfo,
     userId: email,

diff --git a/test/integration/test-utils.ts b/test/integration/test-utils.ts
@@ -159,6 +159,59 @@ export async function connectToMCPServer(
   // Wait for connection attempt to complete
   await page.waitForTimeout(1000)
 
+  // Check for OAuth popup and handle it - try multiple times to catch different OAuth flows
+  let oauthHandled = false
+  for (let popupAttempt = 0; popupAttempt < 5 && !oauthHandled; popupAttempt++) {
+    try {
+      // Look for OAuth popup by checking for new pages
+      const context = page.context()
+      const initialPages = context.pages()
+
+      // Wait a bit to see if OAuth popup appears
+      await page.waitForTimeout(1000)
+
+      const currentPages = context.pages()
+      if (currentPages.length > initialPages.length) {
+        // OAuth popup appeared, find it
+        const popup = currentPages.find((p) => p !== page && p.url().includes('/authorize'))
+        if (popup) {
+          console.log('🔐 OAuth popup detected, clicking Approve button...')
+          // Wait for the approval form to load
+          await popup.waitForSelector('button.approve', { timeout: 5000 })
+          // Click the Approve button
+          await popup.click('button.approve')
+          console.log('✅ Clicked Approve button')
+          // Wait for popup to close
+          await popup.waitForEvent('close', { timeout: 10000 })
+          console.log('🔒 OAuth popup closed')
+          oauthHandled = true
+          break
+        }
+      }
+
+      // Also check if there's a popup that opened that we haven't detected yet
+      const allPages = context.pages()
+      for (const possiblePopup of allPages) {
+        if (possiblePopup !== page && possiblePopup.url().includes('/authorize')) {
+          console.log('🔐 Found OAuth popup on retry, clicking Approve button...')
+          await possiblePopup.waitForSelector('button.approve', { timeout: 5000 })
+          await possiblePopup.click('button.approve')
+          console.log('✅ Clicked Approve button')
+          await possiblePopup.waitForEvent('close', { timeout: 10000 })
+          console.log('🔒 OAuth popup closed')
+          oauthHandled = true
+          break
+        }
+      }
+    } catch (e) {
+      console.log(`ℹ️  OAuth popup attempt ${popupAttempt + 1} failed:`, e.message)
+    }
+  }
+
+  if (!oauthHandled) {
+    console.log('ℹ️  No OAuth popup detected after multiple attempts')
+  }
+
   // Check for connection status
   let attempts = 0
   const maxAttempts = 20