feat: add HTTP client option to OAuthConfig

[sd2k]

Description

It's already possible to customize the underlying client used by the SSE
and streamable HTTP transports, but not the OAuth handler. This adds
an option to customize the underlying client used by the OAuth handler.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• MCP spec compatibility implementation
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring (no functional changes)
• Performance improvement
• Tests only (no functional changes)
• Other (please describe):

Checklist

• My code follows the code style of this project
• I have performed a self-review of my own code
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly

MCP Spec Compliance

• This PR implements a feature defined in the MCP specification
• Link to relevant spec section: Link text
• Implementation follows the specification exactly

Additional Information

It's a pretty tiny change and I've tested it out locally.

Summary by CodeRabbit

• New Features
  • Added the ability to configure a custom HTTP client for OAuth operations, enabling advanced networking settings (proxies, retries, transport tweaks). This gives admins finer control over connection behavior in restricted environments.
• Improvements
  • When not configured, OAuth requests now use a default client with a 30s timeout, improving reliability and preventing indefinite hangs.

[coderabbitai]

Walkthrough

Adds an injectable HTTP client to OAuth by adding HTTPClient *http.Client to OAuthConfig, setting a default 30s client in NewOAuthHandler when nil, and having OAuthHandler use config.HTTPClient instead of a hardcoded client.

Changes

Cohort / File(s)	Change summary
OAuth HTTP client injection client/transport/oauth.go	Added HTTPClient *http.Client to OAuthConfig; NewOAuthHandler sets a default 30s-timeout client if HTTPClient is nil; OAuthHandler uses config.HTTPClient instead of a hardcoded client.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• tra4less
• ezynda3

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description includes a summary but does not follow the repository’s template, missing the ## Description header, issue reference, Type of Change section with checkboxes, project checklist, and optional spec compliance or additional information sections, leaving critical metadata and validation steps unclear for reviewers.	Please update the PR description to follow the repository’s template by adding the ## Description header, referencing any related issue, completing the Type of Change and checklist sections, and including MCP spec compliance and additional information where relevant to ensure reviewers have all necessary context and metadata.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly summarizes the main change by indicating the addition of an HTTP client option to the OAuthConfig, matching the core update in the code without extraneous detail.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4138fc and d1d4fc1.

📒 Files selected for processing (1)

• client/transport/oauth.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Order imports: standard library first, then third-party, then local packages (goimports enforces this)
Follow Go naming conventions: exported identifiers in PascalCase; unexported in camelCase; acronyms uppercase (HTTP, JSON, MCP)
Error handling: return sentinel errors, wrap with fmt.Errorf("context: %w", err), and check with errors.Is/As
Prefer explicit types and strongly-typed structs; avoid using any except where protocol flexibility is required (e.g., Arguments any)
All exported types and functions must have GoDoc comments starting with the identifier name; avoid inline comments unless necessary
Functions that are handlers or long-running must accept context.Context as the first parameter
Ensure thread safety for shared state using sync.Mutex and document thread-safety requirements in comments
For JSON: use json struct tags with omitempty for optional fields; use json.RawMessage for flexible/deferred parsing

Files:

• client/transport/oauth.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: coverage

🔇 Additional comments (3)

client/transport/oauth.go (3)

37-39: Well-documented optional field following Go conventions.

The field documentation properly starts with the identifier name and clearly describes both the purpose and the nil-case behavior.

As per coding guidelines.

---

157-159: Clean initialization with sensible default timeout.

The nil-check and default initialization follows the same pattern as the TokenStore setup above it. The 30-second timeout is appropriate for OAuth operations including discovery, token exchange, and refresh requests.

---

163-163: Correct usage of the configured HTTP client.

The assignment properly uses the initialized config.HTTPClient, which is guaranteed to be non-nil after the check on lines 157-159.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d52180 and e4138fc.

📒 Files selected for processing (1)

• client/transport/oauth.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

**/*.go: Order imports: standard library first, then third-party, then local packages (goimports enforces this)
Follow Go naming conventions: exported identifiers in PascalCase; unexported in camelCase; acronyms uppercase (HTTP, JSON, MCP)
Error handling: return sentinel errors, wrap with fmt.Errorf("context: %w", err), and check with errors.Is/As
Prefer explicit types and strongly-typed structs; avoid using any except where protocol flexibility is required (e.g., Arguments any)
All exported types and functions must have GoDoc comments starting with the identifier name; avoid inline comments unless necessary
Functions that are handlers or long-running must accept context.Context as the first parameter
Ensure thread safety for shared state using sync.Mutex and document thread-safety requirements in comments
For JSON: use json struct tags with omitempty for optional fields; use json.RawMessage for flexible/deferred parsing

Files:

• client/transport/oauth.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test
• GitHub Check: coverage

🔇 Additional comments (1)

client/transport/oauth.go (1)

163-163: LGTM!

The assignment correctly uses the initialized HTTPClient from the config, enabling custom client injection throughout the OAuth handler operations.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

LGTM! Verify timeout consistency across transports.

The initialization pattern matches the existing TokenStore setup and properly provides a sensible default. The 30-second timeout is reasonable for OAuth operations.

Since the PR mentions that SSE and streamable HTTP transports also allow client customization, verify that the 30-second default timeout is consistent with those implementations:

---

🏁 Script executed:

#!/bin/bash
# Description: Check default HTTP client timeouts in other transport implementations

# Search for default HTTP client initialization patterns in transport files
rg -n --type=go -A2 -B2 'http\.Client.*Timeout.*time\.(Second|Minute)' client/transport/

Length of output: 249

---

🏁 Script executed:

#!/bin/bash
# List all Go files in client/transport to inspect transport implementations
fd -t f -e go client/transport

Length of output: 369

---

🏁 Script executed:

#!/bin/bash
# List all Go files under client/transport
find client/transport -type f -name '*.go'
# Search for any http.Client default initialization in those files
rg -n --type=go 'http\.Client' client/transport

Length of output: 1467

---

Add default HTTPClient Timeout to SSE and streamable transports
The SSE (client/transport/sse.go:93) and streamable HTTP (client/transport/streamable_http.go:139) transports use &http.Client{} without a Timeout, causing inconsistent behavior compared to the 30 s default in OAuth transport. Set a default Timeout (e.g., 30 s) in those initializations.

🤖 Prompt for AI Agents

In client/transport/oauth.go around lines 157-159, and apply the same change to
client/transport/sse.go (around line 93) and client/transport/streamable_http.go
(around line 139): the transports currently initialize http.Client without a
Timeout which leads to inconsistent behavior; when creating a default
http.Client, set Timeout: 30 * time.Second (e.g., &http.Client{Timeout: 30 *
time.Second}) so all transports use the same 30s default timeout.