Per-server OAuth routing for authorize, revoke, and mcp-add (MCPT-484)#465
Per-server OAuth routing for authorize, revoke, and mcp-add (MCPT-484)#465cutecatfann merged 1 commit intomainfrom
Conversation
| isCommunity, err := lookupIsCommunity(ctx, app) | ||
| if err != nil { | ||
| // Server not in catalog -- fall back to legacy global routing | ||
| // so existing servers without catalog entries still work. | ||
| if pkgoauth.IsCEMode() { | ||
| return authorizeCEMode(ctx, app, scopes) | ||
| } | ||
| return authorizeDesktopMode(ctx, app, scopes) | ||
| } | ||
|
|
There was a problem hiding this comment.
QQ, on the isCommunity check -> is this true for all servers that are not in the Docker catalog?
IE: how would this behave for a custom catalog built with servers from the DD catalog?
There was a problem hiding this comment.
lookupIsCommunity loads all catalogs (Docker + configured/custom) via catalog.GetWithOptions(ctx, true, nil), then checks server.IsCommunity() which looks for the "community" tag in Metadata.Tags. That tag is only set by catalog_next/create.go when importing from the community registry.
So servers from the DD catalog in a custom catalog would not have the "community" tag -- they route to ModeDesktop (unchanged behavior).
The error path (server not in any catalog) falls back to the legacy global IsCEMode() check for backward compat with servers configured outside of catalogs.
| } | ||
|
|
||
| // authorizeCommunityMode handles OAuth for community servers in Desktop mode. | ||
| // Uses the Gateway OAuth flow (localhost callback, PKCE) with docker pass storage. |
There was a problem hiding this comment.
I had understood that CE mode ( and therefore the community servers ) would use docker-credential-helpers for storage, are we migrating it to pass as well?
I think pass might require DD
There was a problem hiding this comment.
No -- CE mode is unchanged and still uses docker-credential-helpers via authorizeCEMode / NewReadWriteCredentialHelper().
authorizeCommunityMode (docker pass) is only reached when DetermineMode returns ModeCommunity, which requires: Desktop mode + community server + McpGatewayOAuth flag ON. CE mode always returns ModeCE from DetermineMode and routes to authorizeCEMode.
austin5456
left a comment
austin5456
left a comment
There was a problem hiding this comment.
just a couple questions
2 participants
What I did
docker mcp oauth authorize,docker mcp oauth revoke, and the mcp-add elicitation flow per-server usingDetermineMode(ctx, isCommunity), replacing the globalIsCEMode()check at these call sitesauthorizeCommunityMode, full Gateway OAuth flow (localhost callback, PKCE, DCR via docker pass) for community servers in Desktop moderevokeCommunityMode, deletes OAuth token and DCR client from docker passgetRemoteOAuthServerStatusin the gateway to branch onShouldUseGatewayOAuth: community/CE servers register DCR and start providers via Gateway; Desktop catalog servers use the existing Desktop API pathdcr.DiscoverAndRegister()as a storage-agnostic function so both community mode (docker pass) and CE mode (credential helper) can share the discovery + DCR logic without coupling to a specific storage backend(not mandatory) A picture of a cute animal, if possible in relation to what you did
