Support explicit OAuth credentials for remote MCP servers#2394
Open
dgageot wants to merge 1 commit intodocker:mainfrom
Open
Support explicit OAuth credentials for remote MCP servers#2394dgageot wants to merge 1 commit intodocker:mainfrom
dgageot wants to merge 1 commit intodocker:mainfrom
Conversation
Add support for configuring explicit OAuth client credentials (clientId, clientSecret, callbackPort, scopes) on remote MCP server toolsets. This fixes connections to MCP servers that do not support Dynamic Client Registration (RFC 7591), such as Slack and GitHub. Key changes: - Add RemoteOAuthConfig to config types with clientId, clientSecret, callbackPort, and scopes fields - Stop fabricating registration_endpoint when the server doesn't advertise one in metadata discovery - Use explicit credentials in the managed OAuth flow when configured, falling back to dynamic registration when available - Support fixed callback port for OAuth redirect URI - Add scopes parameter to BuildAuthorizationURL - Validate callbackPort range (1-65535) and oauth on non-mcp types - Update agent-schema.json with RemoteOAuthConfig definition - Add example config (examples/remote_mcp_oauth.yaml) Fixes docker#2248 Co-Authored-By: nicholasgasior <nicholasgasior@users.noreply.github.com> Co-Authored-By: rumpl <rumpl@users.noreply.github.com> Assisted-By: docker-agent
dgageot
force-pushed
the
board/docker-agent-pr-fix-for-referenced-issue-05746a9e
branch
from
44fbeb6 to
0c46839
Compare
Contributor
|
/review |
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
No critical issues found in the changed code.
This PR adds explicit OAuth credential configuration for remote MCP servers. The implementation correctly:
- Validates callback port ranges (allowing 0 for random port selection)
- Requires clientId when OAuth is configured
- Handles the priority order for credential resolution (explicit config → dynamic registration → error)
The code follows the project's conventions for config schema versioning and includes appropriate example YAML.
krissetto
reviewed
Apr 13, 2026
| return errors.New("oauth requires clientId to be set") | ||
| } | ||
| if t.Remote.OAuth.CallbackPort != 0 && (t.Remote.OAuth.CallbackPort < 1 || t.Remote.OAuth.CallbackPort > 65535) { | ||
| return errors.New("oauth callbackPort must be between 1 and 65535") |
Contributor
There was a problem hiding this comment.
i don't think we should go all the way to port 1, that'd required root permissions
krissetto
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is an attempt at continuing the work started in #2273 and #2274 to fix #2248.
Problem
Remote MCP servers that don't support Dynamic Client Registration (RFC 7591) — such as Slack and GitHub — fail because the code fabricates a
registration_endpointwhen none is advertised, then tries (and fails) to dynamically register.Solution
Allow users to configure explicit OAuth credentials (
clientId,clientSecret,callbackPort,scopes) directly in the remote MCP toolset config. The managed OAuth flow now resolves credentials in priority order:clientId/clientSecretfrom the YAMLregistration_endpointKey changes
RemoteOAuthConfigto config types withclientId,clientSecret,callbackPort, andscopesfieldsregistration_endpointinvalidateAndFillDefaults()andcreateDefaultMetadata()scopesparameter toBuildAuthorizationURLcallbackPortrange (1–65535) andoauthon non-mcp typesagent-schema.jsonwithRemoteOAuthConfigdefinitionexamples/remote_mcp_oauth.yaml)Example
Co-authored-by: nicholasgasior nicholasgasior@users.noreply.github.com
Co-authored-by: rumpl rumpl@users.noreply.github.com