Add dynamic OAuth discovery for community MCP servers

Community servers from third-party registries lack oauth.providers metadata,
so the existing IsRemoteOAuthServer() gate prevents DCR entries from being
created. This adds a fallback path that probes remote servers for OAuth
support using DiscoverOAuthRequirements() and creates pending DCR entries.

- Add RegisterProviderForDynamicDiscovery() in pkg/oauth/dcr_registration.go
- Add fallback branch in workingset, server enable, and gateway mcpadd
- Expand gateway OAuth condition to match remote servers without oauth.providers

Author: jchangx

cmd/docker-mcp/server/enable.go

@@ -79,6 +79,15 @@ func update(ctx context.Context, docker docker.Client, dockerCli command.Cli, ad
 				fmt.Printf("Server %s requires OAuth authentication but DCR is disabled.\n", serverName)
 				fmt.Printf("   To enable automatic OAuth setup, run: docker mcp feature enable mcp-oauth-dcr\n")
 				fmt.Printf("   Or set up OAuth manually using: docker mcp oauth authorize %s\n", serverName)
+			} else if mcpOAuthDcrEnabled && server.Type == "remote" && !server.IsOAuthServer() && server.Remote.URL != "" {
+				// Community server without oauth.providers — probe for OAuth
+				if pkgoauth.IsCEMode() {
+					fmt.Printf("Remote server %s enabled. Run 'docker mcp oauth authorize %s' if authentication is required\n", serverName, serverName)
+				} else {
+					if err := pkgoauth.RegisterProviderForDynamicDiscovery(ctx, serverName, server.Remote.URL); err != nil {
+						fmt.Printf("Warning: Dynamic OAuth discovery failed for %s: %v\n", serverName, err)
+					}
+				}
 			}
 		} else {
 			return fmt.Errorf("server %s not found in catalog", serverName)

pkg/gateway/mcpadd.go

@@ -289,7 +289,8 @@ func addServerHandler(g *Gateway, clientConfig *clientConfig) mcp.ToolHandler {
 		// Handle OAuth DCR only when the client supports elicitation (e.g. not stdio-based clients)
 		if g.McpOAuthDcrEnabled &&
 			serverConfig != nil &&
-			serverConfig.Spec.IsRemoteOAuthServer() {
+			(serverConfig.Spec.IsRemoteOAuthServer() ||
+				(serverConfig.Spec.Type == "remote" && !serverConfig.Spec.IsOAuthServer() && serverConfig.Spec.Remote.URL != "")) {
 
 			init := req.Session.InitializeParams()
 			if init != nil &&
@@ -444,7 +445,14 @@ func (g *Gateway) getRemoteOAuthServerStatus(ctx context.Context, serverName str
 	if !providerExists {
 		// Register DCR client with DD so user can authorize
 		if err := oauth.RegisterProviderForLazySetup(ctx, serverName); err != nil {
-			log.Logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+			// Fallback: try dynamic discovery for community servers without oauth.providers
+			if serverConfig, _, found := g.configuration.Find(serverName); found && serverConfig.Spec.Remote.URL != "" {
+				if err := oauth.RegisterProviderForDynamicDiscovery(ctx, serverName, serverConfig.Spec.Remote.URL); err != nil {
+					log.Logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+				}
+			} else {
+				log.Logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+			}
 		}
 
 		// Start provider (CE mode only - Desktop mode doesn't need polling)

pkg/oauth/dcr_registration.go

@@ -3,9 +3,12 @@ package oauth
 import (
 	"context"
 	"fmt"
+	"time"
 
-	"github.com/docker/mcp-gateway/pkg/catalog"
+	oauthhelpers "github.com/docker/mcp-gateway-oauth-helpers"
 	"github.com/docker/mcp-gateway/pkg/desktop"
+
+	"github.com/docker/mcp-gateway/pkg/catalog"
 )
 
 // RegisterProviderForLazySetup registers a DCR provider with Docker Desktop
@@ -46,6 +49,33 @@ func RegisterProviderForLazySetup(ctx context.Context, serverName string) error
 	return client.RegisterDCRClientPending(ctx, serverName, dcrRequest)
 }
 
+// RegisterProviderForDynamicDiscovery probes a remote server for OAuth support
+// and creates a pending DCR entry if the server requires OAuth.
+// This is used for community servers that lack oauth.providers metadata in the catalog.
+// Idempotent - safe to call multiple times for the same server.
+func RegisterProviderForDynamicDiscovery(ctx context.Context, serverName, serverURL string) error {
+	client := desktop.NewAuthClient()
+
+	// Idempotent check - already registered?
+	_, err := client.GetDCRClient(ctx, serverName)
+	if err == nil {
+		return nil // Already registered
+	}
+
+	// Probe the server with a timeout to discover OAuth requirements
+	probeCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+	discovery, err := oauthhelpers.DiscoverOAuthRequirements(probeCtx, serverURL)
+	if err != nil || !discovery.RequiresOAuth {
+		return nil // Server doesn't need OAuth, not an error
+	}
+
+	// Register with DD (pending DCR state) using server name as provider name
+	return client.RegisterDCRClientPending(ctx, serverName, desktop.RegisterDCRRequest{
+		ProviderName: serverName,
+	})
+}
+
 // RegisterProviderWithSnapshot registers a DCR provider using OAuth metadata from the server snapshot
 // This avoids querying the catalog since the snapshot already contains all necessary OAuth information
 // Idempotent - safe to call multiple times for the same server

pkg/workingset/oauth.go

@@ -24,15 +24,20 @@ func RegisterOAuthProvidersForServers(ctx context.Context, servers []Server) {
 		if server.Snapshot == nil {
 			continue
 		}
-		if !server.Snapshot.Server.IsRemoteOAuthServer() {
-			continue
-		}
-
-		serverName := server.Snapshot.Server.Name
-		providerName := server.Snapshot.Server.OAuth.Providers[0].Provider
+		if server.Snapshot.Server.IsRemoteOAuthServer() {
+			serverName := server.Snapshot.Server.Name
+			providerName := server.Snapshot.Server.OAuth.Providers[0].Provider
 
-		if err := oauth.RegisterProviderWithSnapshot(ctx, serverName, providerName); err != nil {
-			log.Log(fmt.Sprintf("Warning: Failed to register OAuth provider for %s: %v", serverName, err))
+			if err := oauth.RegisterProviderWithSnapshot(ctx, serverName, providerName); err != nil {
+				log.Log(fmt.Sprintf("Warning: Failed to register OAuth provider for %s: %v", serverName, err))
+			}
+		} else if server.Snapshot.Server.Type == "remote" && server.Snapshot.Server.Remote.URL != "" {
+			// Community servers without oauth.providers: probe for OAuth dynamically
+			serverName := server.Snapshot.Server.Name
+			serverURL := server.Snapshot.Server.Remote.URL
+			if err := oauth.RegisterProviderForDynamicDiscovery(ctx, serverName, serverURL); err != nil {
+				log.Log(fmt.Sprintf("Warning: Failed dynamic OAuth discovery for %s: %v", serverName, err))
+			}
 		}
 	}
 }