refactor(core): extract shared OAuth flow primitives from MCPOAuthProvider

[SandyTao520]

Summary

Extract generic OAuth 2.0 Authorization Code + PKCE primitives from MCPOAuthProvider into a shared oauth-flow.ts module, enabling reuse by both MCP and A2A authentication providers. Pure refactor — no behavior change.

Details

New file: packages/core/src/utils/oauth-flow.ts

• 6 exported functions: generatePKCEParams, startCallbackServer, getPortFromUrl, buildAuthorizationUrl, exchangeCodeForToken, refreshAccessToken
• 1 internal helper: parseTokenEndpointResponse (deduplicates token response parsing that was previously copy-pasted between exchangeCodeForToken and refreshAccessToken)
• Exported types: OAuthFlowConfig, OAuthRefreshConfig, PKCEParams, OAuthAuthorizationResponse, OAuthTokenResponse
• MCP-specific concerns (resource parameter via RFC 8707) are handled via an optional resource?: string parameter — callers pass it, the shared functions just append it if present

Modified file: packages/core/src/mcp/oauth-provider.ts

• Removed ~500 lines of extracted methods
• Delegates to shared functions from oauth-flow.ts
• New buildResourceParam() private helper consolidates the repeated try/catch pattern for MCP resource parameter building
• Re-exports OAuthAuthorizationResponse and OAuthTokenResponse from oauth-flow.ts for backward compatibility

This is the foundation for PR 2 (#17600) which will add OAuth2AuthProvider for A2A remote agents using these shared primitives.

Related Issues

Related to #17600

How to Validate

1. Run npm run typecheck — passes with no errors
2. Run npm run lint — passes with no errors
3. Run npm test -w @google/gemini-cli-core -- src/mcp/oauth-provider.test.ts — all 41 existing tests pass unchanged
4. Run npm test -w @google/gemini-cli-core -- src/tools/mcp-client.test.ts — all 66 tests pass (verifies import compatibility)
5. Run npm test -w @google/gemini-cli-core — all 5,387 core tests pass

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-cli]

Hi @SandyTao520, thank you so much for your contribution to Gemini CLI! We really appreciate the time and effort you've put into this.

We're making some updates to our contribution process to improve how we track and review changes. Please take a moment to review our recent discussion post: Improving Our Contribution Process & Introducing New Guidelines.

Key Update: Starting January 26, 2026, the Gemini CLI project will require all pull requests to be associated with an existing issue. Any pull requests not linked to an issue by that date will be automatically closed.

Thank you for your understanding and for being a part of our community!

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the modularity and reusability of OAuth authentication logic within the core package. By centralizing common OAuth 2.0 Authorization Code and PKCE flow primitives into a dedicated utility module, it lays the groundwork for consistent authentication implementations across different providers, such as MCP and future A2A agents. This change streamlines the codebase and enhances maintainability without altering any existing functionality.

Highlights

• Shared OAuth Flow Primitives: Extracted generic OAuth 2.0 Authorization Code + PKCE primitives into a new, shared oauth-flow.ts module. This module now houses functions for generating PKCE parameters, starting a callback server, building authorization URLs, exchanging codes for tokens, and refreshing access tokens.
• MCPOAuthProvider Refactoring: Refactored MCPOAuthProvider to remove approximately 500 lines of duplicated OAuth logic. It now delegates to the newly created shared functions in oauth-flow.ts for core OAuth operations.
• MCP-Specific Resource Parameter Handling: Introduced a new private helper method, buildResourceParam(), within MCPOAuthProvider to consolidate the logic for building MCP-specific resource parameters, which is then passed to the shared OAuth functions.
• Backward Compatibility: Re-exported OAuthAuthorizationResponse and OAuthTokenResponse types from oauth-flow.ts in MCPOAuthProvider to maintain backward compatibility for existing consumers.
• No Behavior Change: Confirmed that this is a pure refactor with no changes in behavior, as validated by all existing tests passing without modification.

Changelog

• packages/core/src/mcp/oauth-provider.ts
  • Removed direct imports for http and net modules.
  • Imported shared OAuth flow functions and types from ../utils/oauth-flow.js.
  • Deleted internal implementations of generatePKCEParams, startCallbackServer, getPortFromUrl, buildAuthorizationUrl, exchangeCodeForToken, and refreshAccessToken.
  • Added a new private helper buildResourceParam to encapsulate MCP-specific resource parameter logic.
  • Updated calls to use the newly imported shared OAuth utility functions.
  • Re-exported OAuthAuthorizationResponse and OAuthTokenResponse types for backward compatibility.
• packages/core/src/utils/oauth-flow.ts
  • Added a new file containing shared OAuth 2.0 Authorization Code + PKCE primitives.
  • Exported functions: generatePKCEParams, startCallbackServer, getPortFromUrl, buildAuthorizationUrl, exchangeCodeForToken, refreshAccessToken.
  • Exported types: OAuthFlowConfig, OAuthRefreshConfig, PKCEParams, OAuthAuthorizationResponse, OAuthTokenResponse.
  • Included an internal helper function parseTokenEndpointResponse for consistent token response parsing.

Activity

• The author has completed the pre-merge checklist, including updating documentation, adding/updating tests, and validating the changes on MacOS.
• All typecheck, lint, and core tests have passed, indicating the refactor did not introduce regressions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -3.31 kB (-0.01%)

Total Size: 26 MB

Filename	Size	Change
./bundle/gemini.js	25.5 MB	-3.31 kB (-0.01%)

ℹ️ View Unchanged

Filename	Size
./bundle/node_modules/@google/gemini-cli-devtools/dist/client/main.js	221 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/_client-assets.js	227 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/index.js	11.5 kB
./bundle/node_modules/@google/gemini-cli-devtools/dist/src/types.js	132 B
./bundle/sandbox-macos-permissive-open.sb	890 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB
./bundle/sandbox-macos-strict-open.sb	4.82 kB
./bundle/sandbox-macos-strict-proxied.sb	5.02 kB

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request is a well-executed refactoring that extracts shared OAuth 2.0 flow logic into a new oauth-flow.ts module. This significantly improves code structure and enables reuse, as intended. The new parseTokenEndpointResponse helper is a great addition for deduplicating response handling. I've found one high-severity issue related to type safety in the new shared module that could lead to runtime errors. Please see my detailed comment.

[sehoon38]

LGTM