[Feature]: Support client_secret in MCP server OAuth override config

[affanshahid]

Preflight Checklist

• I have searched existing requests and this hasn't been proposed yet
• If this request came from a chat session issue, I included relevant session context and redacted secrets

Problem statement

McpOAuthOverrideEntry in the config schema only supports client_id, auth_url, token_url, and scopes. Some OAuth servers (e.g. HubSpot MCP at https://mcp.hubspot.com) require a client_secret in the token exchange even when using PKCE. Without it, the token exchange fails with invalid_client: missing or invalid client secret.

The MCP spec supports dynamic client registration (RFC 7591) which would avoid needing a secret, but HubSpot does not support dynamic registration in production ("OAuth client registration is not supported in production environment"). So the only path forward is providing the secret manually via config (which doesn't support it currently).

Proposed solution

Add an optional client_secret field to McpOAuthOverrideEntry and pass it in the token exchange form body when present:

[mcp.servers.hubspot.oauth]
client_id = "your-client-id"
client_secret = "your-client-secret"
auth_url = "https://mcp.hubspot.com/oauth/authorize/user"
token_url = "https://mcp.hubspot.com/oauth/v3/token"

Alternatives considered

Currently I've setup a bash-based auth flow which my moltis runs every 30 mins using CRON and maually updates the token store.

Category

MCP integration

How important is this to your workflow?

High — significant impact on productivity

Additional context

No response

Chat session context (if applicable)