Add OAuth 2.0 authentication support

[avrabe]

Overview

Enhance authentication to support OAuth 2.0 flows, aligning with Atlassian's official Remote MCP Server and enabling better integration with cloud instances.

Current Status

✅ We support:

• API Token authentication
• Basic authentication (username + password)
• Anonymous authentication (limited)

❌ We're missing:

• OAuth 2.0 authorization code flow
• OAuth 2.0 refresh tokens
• Automatic token refresh

Motivation

• Official Atlassian Remote MCP uses OAuth 2.1
• Better security than API tokens
• Required for some cloud integrations
• Industry standard authentication method
• Enables per-user permissions (no shared API tokens)

Proposed Implementation

1. OAuth Configuration

Add to JiraConfig:

pub enum AuthConfig {
    // Existing
    Token(String),
    Basic { username: String, password: String },
    Anonymous,
    
    // New
    OAuth {
        client_id: String,
        client_secret: String,
        access_token: Option<String>,
        refresh_token: Option<String>,
        token_expiry: Option<SystemTime>,
    }
}

2. Environment Variables

JIRA_AUTH_TYPE=oauth
JIRA_OAUTH_CLIENT_ID=your-client-id
JIRA_OAUTH_CLIENT_SECRET=your-client-secret
JIRA_OAUTH_REDIRECT_URI=http://localhost:8080/callback

3. OAuth Flow

Implement authorization code flow:

1. Generate authorization URL
2. User visits URL and grants permission
3. Receive callback with authorization code
4. Exchange code for access + refresh tokens
5. Store tokens securely
6. Auto-refresh when expired

4. New Tools (Optional)

• init_oauth_flow() - Start OAuth flow, return auth URL
• complete_oauth_flow(code: String) - Complete OAuth with code
• refresh_oauth_token() - Manually refresh token

Implementation Notes

Dependencies

Consider adding:

• oauth2 crate for OAuth flows
• reqwest (already have) for HTTP
• Token storage in cache or config file

Token Storage

• Store refresh token securely (encrypted?)
• Store access token in memory
• Persist refresh token to file for reuse

Auto-Refresh

• Check token expiry before each API call
• Automatically refresh if expired
• Handle refresh failures gracefully

gouqi Support

Check if gouqi 0.19 supports OAuth:

• May need to extend Credentials enum
• May need to implement custom auth header injection

Acceptance Criteria

• OAuth 2.0 authorization code flow implemented
• Token refresh automatically handled
• Environment variable configuration
• Secure token storage
• Documentation for OAuth setup
• Example OAuth client configuration
• Error handling for token refresh failures

Priority

Medium - Important for cloud/modern deployments, but not blocking for V2 self-hosted

Related Issues

• Current auth is in src/config.rs
• JIRA client is in src/jira_client.rs

Estimated Effort

Medium (3-4 days)

Resources

• Atlassian OAuth 2.0 Docs
• oauth2 Rust Crate