Feat/dxaa 596 set skip non verifiable uri confirmation prompt

[wdaimee]

Changes

This change introduces setting the skip_non_verifiable_callback_uri_confirmation_prompt to true when a callback url that contains a non-verifiable uri (such as localhost or a custom uri scheme e.g., myapp://newpage) is set in the user's Auth0 application.

This setting ensures that a user can login and reload their project when using an Auth0 application created with the Auth0 MCP Server without any loss of authentication state. If this setting isn't set and a user uses a non-verifiable callback url (which will most likely be the case for users when in development) the user may get logged out of their application if they reload the page after a successful login. The log in state will not be preserved during reload.

This issue is likely to impact users integrating an Auth0 SDK for the first time and Onboarding is heavily impacted.

The following changes have been implemented:

1. Added hasNonVerifiableCallbacks utility function to src/utils/onboarding.ts that detects non-verifiable callback URIs (localhost, loopback IPS 127.x.x.x, ::1, and custom URI schemes like myapp://).

2. Added the following logic to the auth0_update_application tool handler in src/tools/applications.ts:

   • Exposed skip_non_verifiable_callback_uri_confirmation_prompt as an explicit input parameter on the tool
   • If the parameter is explicitly provided, it is passed through directly to the update payload
   • If the parameter is not provided but the callbacks array contains non-verifiable URIs, the flag is automatically set to true:

   if (updateData.skip_non_verifiable_callback_uri_confirmation_prompt === undefined && callbacks && hasNonVerifiableCallbacks(callbacks)) {
       updateData.skip_non_verifiable_callback_uri_confirmattion_prompt = true;
   }

3. Added the following logic to the auth0_create_application tool handler in src/tools/applications.ts:
   • If the callbacks array contains non-verifiable URIs, the flag is automatically set to true on create:

    if (callbacks && hasNonVerifiableCallbacks(callbacks)) {
        clientData.skip_non_verifiable_callback_uri_confirmation_prompt = true;
    }

4. Updated the auth0_create_application tool description to notify the LLM to always tell the user that secrets have been redacted and that automatic settings were applied such as skip_non_verifiable_uri_confirmation_prompt:

Create a new Auth0 application with the tenant. Prefer OIDC compliant unless otherwise specified. After creating, always explicitly tell the user that the client_secret is redacted in this response for security and provide the dashboard URL and API URL from _credentials_access so they know where to view the full secret. Also inform the user about any automatically applied settings (such as `skip_non_verifiable_callback_uri_confirmation_prompt`). To save credentials locally, always ask the user for a file path before calling auth0_save_credentials_to_file — never assume a default path.',

5. Updated the auth0_update_application to notify the LLM to always inform the user if an automatic settings was set such as skip_non_verifiable_callback_uri_confirmation_prompt:

'Update an existing Auth0 application. After updating, always inform the user about any automatically applied settings (such as skip_non_verifiable_callback_uri_confirmation_prompt).',

6. Unit tests have been added to test/tools/applications.test.ts and test/utils/onboarding.test.ts for the above logic.

References

https://auth0team.atlassian.net/browse/DXAA-596

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

• This change adds unit test coverage
• This change adds integration test coverage

1. When running the create application tool in Copilot, the flag is set correctly:

2. When running the update application tool in Copilot to switch the flag to false, it runs successfully, updating the flag:

These changes be tested by:

1. Switch to the feat/DXAA-596-set-skip-non-verifiable-uri-confirmation-prompt branch
2. Run npm run build
3. Initialize the mcp server with the init command: npx . init --client vscode (if using vscode)
4. Ensure the MCP server is running (you can check the Output tab in terminal or view the mcp.json file)
5. Use Copilot and ask it to run the create application tool for an SPA, set the callback url to a non-verifiable uri (http://localhost:3000 or similar)
6. After confirmation, prompt the LLM to confirm if the skip_non_verifiable_callback_uri_confirmation_prompt was set to true

Hosted MCP Server E2E Tests (API2)
All E2E tests pass for the mcp-api in API2, pointing mcp-api to the local version of auth0-mcp-server with the changes from this PR:

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors

[kushalshit27]

LGTM