fix(all): resolve OAuth popup not communicating back to parent window

When installing OAuth-requiring MCP servers (e.g., plane.so), the popup
window loses window.opener after cross-origin redirect chain, causing
postMessage to silently fail. Users get stuck on the install wizard.
Add fallback: when window.opener is null, backend redirects popup to a
new frontend route (/oauth/callback-complete) which uses BroadcastChannel
(same-origin) to notify the parent window, then closes itself.

Author: Lasim

services/backend/src/routes/mcp/installations/callback.ts

@@ -75,18 +75,15 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 							${query.error_description ? `<p>${sanitizeText(query.error_description)}</p>` : ''}
 							<p>Closing window...</p>
 							<script>
-								// Post error message to parent window
 								if (window.opener) {
 									window.opener.postMessage({
 										type: 'oauth_error',
 										error: '${sanitizeText(errorMsg)}'
 									}, '${frontendUrl}');
+									setTimeout(function() { window.close(); }, 500);
+								} else {
+									window.location.href = '${frontendUrl}/oauth/callback-complete?type=oauth_error&error=${encodeURIComponent(sanitizeText(errorMsg))}';
 								}
-
-								// Close the popup window
-								setTimeout(() => {
-									window.close();
-								}, 500);
 							</script>
 						</body>
 					</html>
@@ -293,10 +290,10 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 												type: 'oauth_error',
 												error: 'Token record not found'
 											}, '${frontendUrl}');
+											setTimeout(function() { window.close(); }, 2000);
+										} else {
+											window.location.href = '${frontendUrl}/oauth/callback-complete?type=oauth_error&error=Token+record+not+found';
 										}
-										setTimeout(() => {
-											window.close();
-										}, 2000);
 									</script>
 								</body>
 							</html>
@@ -438,10 +435,10 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 											type: 'oauth_reauth_success',
 											installation_id: '${flow.installation_id}'
 										}, '${frontendUrl}');
+										setTimeout(function() { window.close(); }, 500);
+									} else {
+										window.location.href = '${frontendUrl}/oauth/callback-complete?type=oauth_reauth_success&installation_id=${flow.installation_id}';
 									}
-									setTimeout(() => {
-										window.close();
-									}, 500);
 								</script>
 							</body>
 						</html>
@@ -629,18 +626,15 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 							<h1>Authorization Successful</h1>
 							<p>Closing window...</p>
 							<script>
-								// Post success message to parent window
 								if (window.opener) {
 									window.opener.postMessage({
 										type: 'oauth_success',
 										installation_id: '${installationId}'
 									}, '${frontendUrl}');
+									setTimeout(function() { window.close(); }, 500);
+								} else {
+									window.location.href = '${frontendUrl}/oauth/callback-complete?type=oauth_success&installation_id=${installationId}';
 								}
-
-								// Close the popup window
-								setTimeout(() => {
-									window.close();
-								}, 500);
 							</script>
 						</body>
 					</html>
@@ -672,18 +666,15 @@ export default async function oauthCallbackRoute(server: FastifyInstance) {
 							<p>An error occurred while processing the authorization.</p>
 							<p>Closing window...</p>
 							<script>
-								// Post error message to parent window
 								if (window.opener) {
 									window.opener.postMessage({
 										type: 'oauth_error',
 										error: '${sanitizeText(errorMessage)}'
 									}, '${frontendUrl}');
+									setTimeout(function() { window.close(); }, 500);
+								} else {
+									window.location.href = '${frontendUrl}/oauth/callback-complete?type=oauth_error&error=${encodeURIComponent(sanitizeText(errorMessage))}';
 								}
-
-								// Close the popup window
-								setTimeout(() => {
-									window.close();
-								}, 500);
 							</script>
 						</body>
 					</html>

services/frontend/src/components/deploy/steps/ConfigureEnvironmentStep.vue

@@ -179,7 +179,7 @@ function onArgTypeChange(arg: ArgItem) {
         <!-- Type selector -->
         <Select
           :model-value="env.type"
-          @update:model-value="(val: ConfigType) => { env.type = val; onEnvTypeChange(env) }"
+          @update:model-value="(val) => { env.type = val as ConfigType; onEnvTypeChange(env) }"
         >
           <SelectTrigger class="w-[120px]">
             <SelectValue />
@@ -255,7 +255,7 @@ function onArgTypeChange(arg: ArgItem) {
         <!-- Type selector -->
         <Select
           :model-value="arg.type"
-          @update:model-value="(val: ConfigType) => { arg.type = val; onArgTypeChange(arg) }"
+          @update:model-value="(val) => { arg.type = val as ConfigType; onArgTypeChange(arg) }"
         >
           <SelectTrigger class="w-[120px]">
             <SelectValue />

services/frontend/src/components/mcp-server/wizard/McpServerInstallWizard.vue

@@ -304,6 +304,9 @@ const handleValidationChange = (isValid: boolean, missingFields: string[]) => {
 // OAuth popup reference
 const oauthPopup = ref<Window | null>(null)
 
+// BroadcastChannel for cross-tab OAuth communication (fallback when window.opener is null)
+let oauthBroadcastChannel: BroadcastChannel | null = null
+
 // Handle OAuth authorization
 const handleOAuthAuthorization = async () => {
   try {
@@ -366,17 +369,9 @@ const handleOAuthAuthorization = async () => {
   }
 }
 
-// Handle OAuth popup messages
-const handleOAuthMessage = (event: MessageEvent) => {
-  const backendUrl = new URL(import.meta.env.VITE_DEPLOYSTACK_BACKEND_URL || 'http://localhost:3000')
-  const allowedOrigins = [window.location.origin, backendUrl.origin]
-
-  if (!allowedOrigins.includes(event.origin)) {
-    console.warn('Rejected postMessage from unauthorized origin:', event.origin)
-    return
-  }
-
-  if (event.data.type === 'oauth_success') {
+// Process OAuth result data (shared between postMessage and BroadcastChannel)
+const processOAuthResult = (data: any) => {
+  if (data.type === 'oauth_success') {
     if (oauthPopup.value && !oauthPopup.value.closed) {
       oauthPopup.value.close()
     }
@@ -387,23 +382,44 @@ const handleOAuthMessage = (event: MessageEvent) => {
     })
 
     eventBus.emit('mcp-installations-updated')
-    router.push('/mcp-server')
-  }
 
-  else if (event.data.type === 'oauth_error') {
-    const { error } = event.data
+    const installationId = data.installation_id
+    if (installationId) {
+      router.push(`/mcp-server/installation/${installationId}/general`)
+    } else {
+      router.push('/mcp-server')
+    }
+  }
 
+  else if (data.type === 'oauth_error') {
     if (oauthPopup.value && !oauthPopup.value.closed) {
       oauthPopup.value.close()
     }
     oauthPopup.value = null
 
     toast.error('Authentication failed', {
-      description: error || 'OAuth authorization failed. Please try again.'
+      description: data.error || 'OAuth authorization failed. Please try again.'
     })
   }
 }
 
+// Handle OAuth popup messages via postMessage
+const handleOAuthMessage = (event: MessageEvent) => {
+  if (!event.data?.type || !['oauth_success', 'oauth_error', 'oauth_reauth_success'].includes(event.data.type)) {
+    return
+  }
+
+  const backendUrl = new URL(import.meta.env.VITE_DEPLOYSTACK_BACKEND_URL || 'http://localhost:3000')
+  const allowedOrigins = [window.location.origin, backendUrl.origin]
+
+  if (!allowedOrigins.includes(event.origin)) {
+    console.warn('Rejected postMessage from unauthorized origin:', event.origin)
+    return
+  }
+
+  processOAuthResult(event.data)
+}
+
 // Watch for serverData changes and reinitialize form
 watch(() => props.serverData, () => {
   initializeEnvironmentForm()
@@ -423,11 +439,29 @@ onMounted(async () => {
   }
 
   window.addEventListener('message', handleOAuthMessage)
+
+  // BroadcastChannel fallback for when window.opener is null (cross-origin redirect chain)
+  try {
+    oauthBroadcastChannel = new BroadcastChannel('deploystack_oauth')
+    oauthBroadcastChannel.onmessage = (event: MessageEvent) => {
+      if (!event.data?.type || !['oauth_success', 'oauth_error', 'oauth_reauth_success'].includes(event.data.type)) {
+        return
+      }
+      processOAuthResult(event.data)
+    }
+  } catch {
+    // BroadcastChannel not supported - postMessage is the only fallback
+  }
 })
 
 onUnmounted(() => {
   window.removeEventListener('message', handleOAuthMessage)
 
+  if (oauthBroadcastChannel) {
+    oauthBroadcastChannel.close()
+    oauthBroadcastChannel = null
+  }
+
   if (oauthPopup.value && !oauthPopup.value.closed) {
     oauthPopup.value.close()
   }

services/frontend/src/router/index.ts

@@ -85,6 +85,15 @@ const routes: RouteRecordRaw[] = [
       title: 'Authorize MCP Access'
     },
   },
+  {
+    path: '/oauth/callback-complete',
+    name: 'OAuthCallbackComplete',
+    component: () => import('../views/oauth/OAuthCallbackComplete.vue'),
+    meta: {
+      requiresSetup: false,
+      title: 'Authorization Complete'
+    },
+  },
   {
     path: '/dashboard',
     name: 'Dashboard',

services/frontend/src/views/oauth/OAuthCallbackComplete.vue

@@ -0,0 +1,43 @@
+<script setup lang="ts">
+/**
+ * Lightweight page loaded in the OAuth popup after the backend callback completes.
+ * Since this page is same-origin as the parent window, BroadcastChannel works
+ * to notify the install wizard, even when window.opener is null.
+ */
+import { onMounted } from 'vue'
+import { useRoute } from 'vue-router'
+
+const route = useRoute()
+
+onMounted(() => {
+  const type = route.query.type as string
+  const installationId = route.query.installation_id as string
+  const error = route.query.error as string
+
+  if (type) {
+    try {
+      const bc = new BroadcastChannel('deploystack_oauth')
+      bc.postMessage({
+        type,
+        installation_id: installationId || undefined,
+        error: error || undefined
+      })
+      bc.close()
+    } catch {
+      // BroadcastChannel not supported
+    }
+  }
+
+  // Always try to close the popup
+  window.close()
+})
+</script>
+
+<template>
+  <div class="flex items-center justify-center h-screen bg-gray-50">
+    <div class="text-center p-8 bg-white rounded-lg shadow-sm">
+      <p class="text-gray-600">Completing authorization...</p>
+      <p class="text-sm text-gray-400 mt-2">This window will close automatically.</p>
+    </div>
+  </div>
+</template>