Skip to content

feat: auto-discover OAuth2 config for MCP servers via RFC 7591 DCR#23406

Merged
kylecarbs merged 1 commit intomainfrom
kylecarbs/mcp-oauth2-auto-discovery
Mar 23, 2026
Merged

feat: auto-discover OAuth2 config for MCP servers via RFC 7591 DCR#23406
kylecarbs merged 1 commit intomainfrom
kylecarbs/mcp-oauth2-auto-discovery

Conversation

@kylecarbs
Copy link
Copy Markdown
Member

@kylecarbs kylecarbs commented Mar 21, 2026

Problem

When adding an external MCP server with auth_type=oauth2, admins currently must manually provide:

  • oauth2_client_id
  • oauth2_client_secret
  • oauth2_auth_url
  • oauth2_token_url

This requires the admin to manually register an OAuth2 client with the external MCP server's authorization server first — a friction-heavy process that contradicts the MCP spec's vision of plug-and-play discovery.

Solution

When an admin creates an MCP server config with auth_type=oauth2 and omits the OAuth2 fields, Coder now automatically discovers and registers credentials following the MCP authorization spec:

  1. Protected Resource Metadata (RFC 9728) — Fetches /.well-known/oauth-protected-resource from the MCP server to discover its authorization server. Falls back to probing the server URL for a WWW-Authenticate header with a resource_metadata parameter.

  2. Authorization Server Metadata (RFC 8414) — Fetches /.well-known/oauth-authorization-server from the discovered auth server to find all endpoints.

  3. Dynamic Client Registration (RFC 7591) — Registers Coder as an OAuth2 client at the auth server's registration endpoint, obtaining a client_id and client_secret automatically.

The discovered/generated credentials are stored in the MCP server config, and the existing per-user OAuth2 connect flow works unchanged.

Backward compatibility

  • Manual config still works: If all three fields (oauth2_client_id, oauth2_auth_url, oauth2_token_url) are provided, the existing behavior is unchanged.
  • Partial config is rejected: Providing some but not all fields returns a clear error explaining the two options.
  • Discovery failure is clear: If auto-discovery fails, the error message explains what went wrong and suggests manual configuration.

Changes

  • New package coderd/mcpauth — Self-contained discovery and DCR logic with no codersdk dependency
  • Modified coderd/mcp.gocreateMCPServerConfig handler now attempts auto-discovery when OAuth2 fields are omitted
  • Tests — Unit tests for discovery (happy path, WWW-Authenticate fallback, no registration endpoint, registration failure) and parseResourceMetadataParam helper

@kylecarbs kylecarbs force-pushed the kylecarbs/mcp-oauth2-auto-discovery branch from 6784c94 to dcd59b4 Compare March 22, 2026 13:58
@coder-tasks
Copy link
Copy Markdown
Contributor

coder-tasks bot commented Mar 22, 2026

Documentation Check

New Documentation Needed

  • docs/ai-coder/mcp-server.md or a new admin guide — Document the auto-discovery path for auth_type=oauth2 MCP server configs. Admins can now omit oauth2_client_id, oauth2_auth_url, and oauth2_token_url to trigger automatic RFC 9728/RFC 8414 discovery + RFC 7591 Dynamic Client Registration. The two valid modes (full manual config vs. full auto-discovery) and the new error message for partial config should be explained.

Automated review via Coder Tasks

@kylecarbs kylecarbs force-pushed the kylecarbs/mcp-oauth2-auto-discovery branch 2 times, most recently from a8434f7 to 3dde75a Compare March 23, 2026 22:03
@kylecarbs
feat: auto-discover OAuth2 config for MCP servers via RFC 7591 DCR
2e3f5aa 
When an admin creates an MCP server config with auth_type=oauth2 but does
not provide oauth2_client_id, oauth2_auth_url, or oauth2_token_url, Coder
now automatically discovers the authorization server and registers a client
using the mcp-go library's OAuthHandler.

The discovery flow follows the MCP authorization spec:
1. Discover the authorization server via Protected Resource Metadata
   (RFC 9728) and Authorization Server Metadata (RFC 8414) using
   mcp-go's OAuthHandler.GetServerMetadata()
2. Register a client via Dynamic Client Registration (RFC 7591) using
   mcp-go's OAuthHandler.RegisterClient()
3. Store the auto-generated client_id, client_secret, auth_url, token_url

If auto-discovery fails, the admin gets a clear error message suggesting
manual configuration.

Manual configuration (providing all three fields) continues to work as before.
Partial configuration (some but not all fields) returns a validation error
explaining the two options.
@kylecarbs kylecarbs force-pushed the kylecarbs/mcp-oauth2-auto-discovery branch from 3dde75a to 2e3f5aa Compare March 23, 2026 22:23
@kylecarbs kylecarbs merged commit acbfb90 into main Mar 23, 2026
26 checks passed
@kylecarbs kylecarbs deleted the kylecarbs/mcp-oauth2-auto-discovery branch March 23, 2026 23:26
@github-actions github-actions bot locked and limited conversation to collaborators Mar 23, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sreya sreya sreya approved these changes

Assignees

@kylecarbs kylecarbs

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kylecarbs @sreya