feat(http): add --authorization-server flag to override OAuth AS URL#2900
Open
Anika-Sol wants to merge 1 commit into
Open
feat(http): add --authorization-server flag to override OAuth AS URL#2900Anika-Sol wants to merge 1 commit into
Anika-Sol wants to merge 1 commit into
Conversation
When deploying the MCP server behind an OAuth proxy (e.g. for GHES, which does not natively support RFC 8414, RFC 7591, or PKCE), the /.well-known/oauth-protected-resource endpoint currently always derives the authorization_servers URL from GITHUB_HOST. There is no way to point clients at a different authorization server without intercepting that endpoint at the ingress/proxy layer. The oauth.Config struct already has an AuthorizationServer field with the conditional logic in place (pkg/http/oauth/oauth.go), but it was never wired to any configuration surface. This commit exposes it as: - --authorization-server CLI flag on the http subcommand - GITHUB_AUTHORIZATION_SERVER environment variable (via viper's existing GITHUB_ prefix + automatic env mapping) When set, the value is passed through ServerConfig into oauth.Config, and the protected resource metadata advertises it directly instead of calling apiHost.AuthorizationServerURL().
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
--authorization-serverCLI flag (andGITHUB_AUTHORIZATION_SERVERenv var) to thehttpsubcommand, allowing operators to override the authorization server URL advertised in the OAuth Protected Resource Metadata (/.well-known/oauth-protected-resource).Why
When deploying the MCP server against GitHub Enterprise Server, GHES does not natively support RFC 8414, RFC 7591, or PKCE — making direct MCP OAuth impossible. A common solution is to deploy a thin OAuth proxy in front of GHES that implements the MCP OAuth spec. However, the MCP server always derives
authorization_serversfromGITHUB_HOST, so clients are pointed at GHES directly instead of the proxy. Without this flag, operators must intercept/.well-known/oauth-protected-resourceat the ingress layer as a workaround.The
AuthorizationServerfield already exists inpkg/http/oauth/oauth.Configwith the conditional in place — it simply wasn't reachable from any configuration surface.What changed
AuthorizationServer stringfield topkg/http/server.goServerConfigcfg.AuthorizationServerinto theoauth.Configstruct inRunHTTPServer--authorization-serverflag onhttpCmdincmd/github-mcp-server/main.goGITHUB_AUTHORIZATION_SERVERenv var works automaticallyMCP impact
Prompts tested (tool changes only)
Security / limits
Tool renaming
Lint & tests
./script/lint./script/testDocs