MCPcopy
hub / github.com/github/github-mcp-server / begin

Method begin

internal/oauth/flow.go:45–66  ·  view source on GitHub ↗

begin selects and prepares the appropriate flow. PKCE is preferred for its stronger security; device flow is the fallback. A random callback port inside Docker cannot be reached from the host browser, so that combination goes straight to device flow.

(prompter Prompter)

Source from the content-addressed store, hash-verified

43// Docker cannot be reached from the host browser, so that combination goes
44// straight to device flow.
45func (m *Manager) begin(prompter Prompter) (*flowPlan, error) {
46 canPKCE := m.config.CallbackPort != 0 || !m.inDocker()
47 if canPKCE {
48 plan, err := m.beginPKCE(prompter)
49 if err == nil {
50 return plan, nil
51 }
52 // A fixed callback port that won't bind is fatal, not a cue to downgrade.
53 // The port was chosen deliberately (and registered with the OAuth app), so
54 // a bind failure means another process holds it — possibly one positioned
55 // to intercept the authorization redirect. Silently switching to device
56 // flow would mask that, so stop and make the user resolve it. Only genuine
57 // bind failures qualify; other errors fall through to device flow.
58 if m.config.CallbackPort != 0 && errors.Is(err, errCallbackBind) {
59 return nil, fmt.Errorf("OAuth callback port %d is not available; another process may be using it — free the port or set a different --oauth-callback-port: %w", m.config.CallbackPort, err)
60 }
61 m.logger.Info("PKCE flow unavailable, falling back to device flow", "reason", err)
62 } else {
63 m.logger.Info("no callback port inside container; using device flow")
64 }
65 return m.beginDevice(prompter)
66}
67
68// beginPKCE prepares the authorization-code + PKCE flow. It binds the callback
69// server and selects the most secure available display channel: browser

Callers 1

AuthenticateMethod · 0.95

Calls 3

beginPKCEMethod · 0.95
beginDeviceMethod · 0.95
IsMethod · 0.45

Tested by

no test coverage detected