Dashboard OAuth Status Display (Read-Only Information Panel)

[doobidoo]

Summary

Add a read-only OAuth status display to the dashboard settings modal for operational visibility. This explicitly does NOT include OAuth configuration UI, which would be a security anti-pattern.

Decision: No Full OAuth Configuration UI ❌

Rejected Approach: OAuth configuration/management in dashboard
Reasoning:

• ❌ Security Anti-Pattern: Exposing OAuth credentials (secret keys, RSA private keys) in browser UI creates XSS attack surface and violates OAuth 2.1 security best practices
• ❌ Configuration Philosophy Mismatch: OAuth is infrastructure-level configuration (like database URLs) that belongs in .env/environment variables, not runtime UI
• ❌ Restart Requirement: OAuth config changes require server restart anyway - no hot-reload benefit
• ❌ Target Audience Mismatch: OAuth setup is for system administrators (deployment time), not memory service users (runtime)
• ❌ Complexity: Would require admin authentication, secure key storage API, restart mechanism for marginal UX gain

Current State: OAuth 2.1 is fully implemented (Issue #116) and configured via environment variables - this works well and is secure.

Approved Alternative: Read-Only Status Display ✅

Add an informational OAuth status section to the existing Settings modal (after "System Information" section).

Display Information (Read-Only)

OAuth Security Status
├─ OAuth Enabled: Yes ✓ / No
├─ JWT Algorithm: RS256 (or HS256)
├─ Token Lifetime: 60 minutes
├─ Authorization Code Lifetime: 10 minutes
├─ Issuer URL: http://localhost:8000
└─ Registered Clients: 3 (count only)

What This DOES NOT Include

• ❌ No OAuth enable/disable toggle
• ❌ No credential display (keys, secrets, client IDs)
• ❌ No key regeneration buttons
• ❌ No client registration UI
• ❌ No configuration changes of any kind

Implementation Plan

Backend:

1. Create new API endpoint: GET /api/oauth/status
   • Location: src/mcp_memory_service/web/api/oauth_status.py (new file)
   • Returns public OAuth information only (no sensitive data)
   • Response schema:

     {
       "oauth_enabled": true,
       "jwt_algorithm": "RS256",
       "access_token_expire_minutes": 60,
       "authorization_code_expire_minutes": 10,
       "issuer": "http://localhost:8000",
       "registered_clients_count": 3
     }

   • Uses existing oauth_storage.get_stats() for client count

Frontend:

1. Update src/mcp_memory_service/web/static/index.html:

   • Add new section in settings modal after "System Information" (line ~1164)
   • Add OAuth status info rows (similar to existing system info structure)

2. Update src/mcp_memory_service/web/static/app.js:

   • Add loadOAuthStatus() function
   • Call on settings modal open
   • Display fetched status information

3. Add i18n keys to src/mcp_memory_service/web/static/i18n.js:

   • OAuth status labels for all 7 supported languages

Security Considerations:

• ✅ No sensitive data exposure
• ✅ Read-only information only
• ✅ Uses existing OAuth config (no new security surface)
• ✅ Helps troubleshooting without compromising security

Use Case

Problem: Administrator deploys the service with OAuth enabled via .env but wants to verify:

• Is OAuth actually enabled?
• What JWT algorithm is being used?
• How many clients are registered?

Solution: Open dashboard settings → See OAuth status section → Verify configuration is working

Benefit: Operational visibility without security risks

Alternatives Considered

Approach	Status	Reason
Full OAuth config UI in dashboard	❌ Rejected	Security anti-pattern, credentials in browser
Read-only status display	✅ Approved	Safe, useful for troubleshooting
Separate admin panel (/admin/oauth)	🔮 Future Enhancement	If client management needed later
Leave as-is (.env only)	✅ Also Valid	Current approach is secure and working

Documentation

• Current OAuth setup: docs/oauth-setup.md (comprehensive, no changes needed)
• OAuth implementation: Issue Implement OAuth 2.1 Dynamic Client Registration for Claude Code HTTP Transport #116 (completed)
• Dashboard guide: Wiki - Web Dashboard Guide

Labels

• enhancement - New feature addition
• dashboard - Affects web dashboard UI
• low-priority - Nice-to-have, not critical
• security-reviewed - Explicitly designed to avoid security issues

Related Issues

• Implement OAuth 2.1 Dynamic Client Registration for Claude Code HTTP Transport #116 - Implement OAuth 2.1 Dynamic Client Registration (completed)

Notes

This issue represents a deliberately scoped-down feature request that prioritizes security over convenience. The decision to reject full OAuth configuration in the dashboard is intentional and should not be reconsidered without thorough security review.