fix(oauth): only elicit when browser fails to open

PKCE flow now opens browser directly and waits for callback without
elicitation. Elicitation is only used when:
- Device flow (Docker mode) - to show user code
- Browser fails to open - fallback to show URL

Author: SamMorrowDrums

internal/ghmcp/server.go

@@ -36,6 +36,11 @@ type MCPServerConfig struct {
 	// GitHub Token to authenticate with the GitHub API
 	Token string
 
+	// TokenProvider is an optional function to dynamically get the token.
+	// Used for OAuth flows where the token is obtained after server startup.
+	// If set, this takes precedence over Token for API requests.
+	TokenProvider func() string
+
 	// PrebuiltInventory is an optional pre-built inventory to avoid double building
 	// When set, this inventory will be used instead of building a new one
 	PrebuiltInventory *inventory.Inventory
@@ -92,9 +97,19 @@ type githubClients struct {
 }
 
 // createGitHubClients creates all the GitHub API clients needed by the server.
-func createGitHubClients(cfg MCPServerConfig, apiHost apiHost) (*githubClients, error) {
-	// Construct REST client
-	restClient := gogithub.NewClient(nil).WithAuthToken(cfg.Token)
+// If tokenProviderFn is provided, it will be used to get the token dynamically (for OAuth).
+// Otherwise, cfg.Token is used as a static token.
+func createGitHubClients(cfg MCPServerConfig, apiHost apiHost, tokenProviderFn tokenProvider) (*githubClients, error) {
+	// Create bearer auth transport that can use dynamic token
+	restTransport := &bearerAuthTransport{
+		transport:     http.DefaultTransport,
+		token:         cfg.Token,
+		tokenProvider: tokenProviderFn,
+	}
+
+	// Construct REST client with custom transport
+	restHTTPClient := &http.Client{Transport: restTransport}
+	restClient := gogithub.NewClient(restHTTPClient)
 	restClient.UserAgent = fmt.Sprintf("github-mcp-server/%s", cfg.Version)
 	restClient.BaseURL = apiHost.baseRESTURL
 	restClient.UploadURL = apiHost.uploadURL
@@ -106,12 +121,13 @@ func createGitHubClients(cfg MCPServerConfig, apiHost apiHost) (*githubClients,
 			transport: &github.GraphQLFeaturesTransport{
 				Transport: http.DefaultTransport,
 			},
-			token: cfg.Token,
+			token:         cfg.Token,
+			tokenProvider: tokenProviderFn,
 		},
 	}
 	gqlClient := githubv4.NewEnterpriseClient(apiHost.graphqlURL.String(), gqlHTTPClient)
 
-	// Create raw content client (shares REST client's HTTP transport)
+	// Create raw content client (inherits transport from REST client)
 	rawClient := raw.NewClient(restClient, apiHost.rawURL)
 
 	// Set up repo access cache for lockdown mode
@@ -168,7 +184,7 @@ func NewMCPServer(cfg MCPServerConfig) (*mcp.Server, error) {
 		return nil, fmt.Errorf("failed to parse API host: %w", err)
 	}
 
-	clients, err := createGitHubClients(cfg, apiHost)
+	clients, err := createGitHubClients(cfg, apiHost, cfg.TokenProvider)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create GitHub clients: %w", err)
 	}
@@ -338,7 +354,7 @@ type StdioServerConfig struct {
 	OAuthManager interface {
 		HasToken() bool
 		GetAccessToken() string
-		RequestAuthentication(context.Context) error
+		RequestAuthentication(context.Context, *mcp.ServerSession) error
 	}
 
 	// OAuthScopes contains the OAuth scopes that were requested
@@ -437,10 +453,22 @@ func RunStdioServer(cfg StdioServerConfig) error {
 		logger.Debug("skipping scope filtering for non-PAT token")
 	}
 
+	// Create token provider that checks OAuth first, then falls back to static token
+	var tokenProvider func() string
+	if cfg.OAuthManager != nil {
+		tokenProvider = func() string {
+			if token := cfg.OAuthManager.GetAccessToken(); token != "" {
+				return token
+			}
+			return cfg.Token
+		}
+	}
+
 	ghServer, err := NewMCPServer(MCPServerConfig{
 		Version:           cfg.Version,
 		Host:              cfg.Host,
 		Token:             cfg.Token,
+		TokenProvider:     tokenProvider,
 		PrebuiltInventory: cfg.PrebuiltInventory,
 		EnabledToolsets:   cfg.EnabledToolsets,
 		EnabledTools:      cfg.EnabledTools,
@@ -692,14 +720,24 @@ func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error
 	return t.transport.RoundTrip(req)
 }
 
+// tokenProvider is a function that returns the current auth token
+type tokenProvider func() string
+
 type bearerAuthTransport struct {
-	transport http.RoundTripper
-	token     string
+	transport     http.RoundTripper
+	token         string        // static token (used if tokenProvider is nil)
+	tokenProvider tokenProvider // dynamic token provider (takes precedence)
 }
 
 func (t *bearerAuthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	req = req.Clone(req.Context())
-	req.Header.Set("Authorization", "Bearer "+t.token)
+	token := t.token
+	if t.tokenProvider != nil {
+		token = t.tokenProvider()
+	}
+	if token != "" {
+		req.Header.Set("Authorization", "Bearer "+token)
+	}
 	return t.transport.RoundTrip(req)
 }
 
@@ -763,7 +801,7 @@ func fetchTokenScopesForHost(ctx context.Context, token, host string) ([]string,
 func createOAuthMiddleware(oauthMgr interface {
 	HasToken() bool
 	GetAccessToken() string
-	RequestAuthentication(context.Context) error
+	RequestAuthentication(context.Context, *mcp.ServerSession) error
 }, logger *slog.Logger) func(mcp.MethodHandler) mcp.MethodHandler {
 	return func(next mcp.MethodHandler) mcp.MethodHandler {
 		return func(ctx context.Context, method string, req mcp.Request) (mcp.Result, error) {
@@ -775,14 +813,22 @@ func createOAuthMiddleware(oauthMgr interface {
 			// Check if we have a token
 			if !oauthMgr.HasToken() {
 				logger.Info("no authentication token available, triggering OAuth flow")
-				// Trigger OAuth authentication
-				// This will return an MCP URL elicitation error that the client will handle
-				if err := oauthMgr.RequestAuthentication(ctx); err != nil {
-					// Return the error (which should be a URL elicitation error)
+
+				// Get the session for elicitation
+				var session *mcp.ServerSession
+				if sess := req.GetSession(); sess != nil {
+					// Type assert to ServerSession
+					if ss, ok := sess.(*mcp.ServerSession); ok {
+						session = ss
+					}
+				}
+
+				// Trigger OAuth authentication (blocks until complete)
+				if err := oauthMgr.RequestAuthentication(ctx, session); err != nil {
 					return nil, err
 				}
-				// If we get here without error, OAuth completed immediately
-				// Fall through to execute the tool with the new token
+				// OAuth completed successfully - fall through to execute the tool
+				logger.Info("OAuth authentication completed successfully")
 			}
 
 			// Execute the tool with authentication