Authentication fails when the Auth popup window removes window.opener #33
Description
Describe the bug
We are using WorkOS authkit for our MCP server authentication, and it seems like whenever the auth flow window is opened, it removes the value of window.opener (likely for as a security measure). So when the auth flow is completed and the onMcpAuthorization callback is called, it will reach this line and fail:
Line 75 in 8952e3b
Expected behavior
I imagine that not only WorkOS would be removing the value of window.opener, so it's likely better to use a more reliable communication method that would always work.
For example, using localStorage + polling might be more reliable and still provide very similar behaviour to the current API I imagine? (Meaning instead of the onMcpAuthoriazation callback function trying to communicate directly with the original window using window.opener.postMessage, it can insert the result in a localStorage queue/cell, and the original window would be polling this same queue/cell for new entries & processing them when it finds any.
Of course there's a bit of extra overhead with this approach, but I believe it should be more reliable with different auth providers?
I checked how some other MCP clients do this, and saw that most of them go about it in a similar way. (Not with window.opener)
Thanks a lot btw for your work on this useful wrapper 🙏