codex-rs/rmcp-client/src/auth_status.rs

use std::collections::HashMap;
use std::time::Duration;

use anyhow::Error;
use anyhow::Result;
use codex_protocol::protocol::McpAuthStatus;
use reqwest::Client;
use reqwest::StatusCode;
use reqwest::Url;
use reqwest::header::HeaderMap;
use serde::Deserialize;
use tracing::debug;

use crate::OAuthCredentialsStoreMode;
use crate::oauth::has_oauth_tokens;
use crate::utils::apply_default_headers;
use crate::utils::build_default_headers;

const DISCOVERY_TIMEOUT: Duration = Duration::from_secs(5);
const OAUTH_DISCOVERY_HEADER: &str = "MCP-Protocol-Version";
const OAUTH_DISCOVERY_VERSION: &str = "2024-11-05";

/// Determine the authentication status for a streamable HTTP MCP server.
pub async fn determine_streamable_http_auth_status(
    server_name: &str,
    url: &str,
    bearer_token_env_var: Option<&str>,
    http_headers: Option<HashMap<String, String>>,
    env_http_headers: Option<HashMap<String, String>>,
    store_mode: OAuthCredentialsStoreMode,
) -> Result<McpAuthStatus> {
    if bearer_token_env_var.is_some() {
        return Ok(McpAuthStatus::BearerToken);
    }

    if has_oauth_tokens(server_name, url, store_mode)? {
        return Ok(McpAuthStatus::OAuth);
    }

    let default_headers = build_default_headers(http_headers, env_http_headers)?;

    match supports_oauth_login_with_headers(url, &default_headers).await {
        Ok(true) => Ok(McpAuthStatus::NotLoggedIn),
        Ok(false) => Ok(McpAuthStatus::Unsupported),
        Err(error) => {
            debug!(
                "failed to detect OAuth support for MCP server `{server_name}` at {url}: {error:?}"
            );
            Ok(McpAuthStatus::Unsupported)
        }
    }
}

/// Attempt to determine whether a streamable HTTP MCP server advertises OAuth login.
pub async fn supports_oauth_login(url: &str) -> Result<bool> {
    supports_oauth_login_with_headers(url, &HeaderMap::new()).await
}

async fn supports_oauth_login_with_headers(url: &str, default_headers: &HeaderMap) -> Result<bool> {
    let base_url = Url::parse(url)?;
    let builder = Client::builder().timeout(DISCOVERY_TIMEOUT);
    let client = apply_default_headers(builder, default_headers).build()?;

    let mut last_error: Option<Error> = None;
    for candidate_path in discovery_paths(base_url.path()) {
        let mut discovery_url = base_url.clone();
        discovery_url.set_path(&candidate_path);

        let response = match client
            .get(discovery_url.clone())
            .header(OAUTH_DISCOVERY_HEADER, OAUTH_DISCOVERY_VERSION)
            .send()
            .await
        {
            Ok(response) => response,
            Err(err) => {
                last_error = Some(err.into());
                continue;
            }
        };

        if response.status() != StatusCode::OK {
            continue;
        }

        let metadata = match response.json::<OAuthDiscoveryMetadata>().await {
            Ok(metadata) => metadata,
            Err(err) => {
                last_error = Some(err.into());
                continue;
            }
        };

        if metadata.authorization_endpoint.is_some() && metadata.token_endpoint.is_some() {
            return Ok(true);
        }
    }

    if let Some(err) = last_error {
        debug!("OAuth discovery requests failed for {url}: {err:?}");
    }

    Ok(false)
}

#[derive(Debug, Deserialize)]
struct OAuthDiscoveryMetadata {
    #[serde(default)]
    authorization_endpoint: Option<String>,
    #[serde(default)]
    token_endpoint: Option<String>,
}

/// Implements RFC 8414 section 3.1 for discovering well-known oauth endpoints.
/// This is a requirement for MCP servers to support OAuth.
/// https://datatracker.ietf.org/doc/html/rfc8414#section-3.1
/// https://github.com/modelcontextprotocol/rust-sdk/blob/main/crates/rmcp/src/transport/auth.rs#L182
fn discovery_paths(base_path: &str) -> Vec<String> {
    let trimmed = base_path.trim_start_matches('/').trim_end_matches('/');
    let canonical = "/.well-known/oauth-authorization-server".to_string();

    if trimmed.is_empty() {
        return vec![canonical];
    }

    let mut candidates = Vec::new();
    let mut push_unique = |candidate: String| {
        if !candidates.contains(&candidate) {
            candidates.push(candidate);
        }
    };

    push_unique(format!("{canonical}/{trimmed}"));
    push_unique(format!("/{trimmed}/.well-known/oauth-authorization-server"));
    push_unique(canonical);

    candidates
}
[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`use std::collections::HashMap;`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00			`use std::time::Duration;`

			`use anyhow::Error;`
			`use anyhow::Result;`
			`use codex_protocol::protocol::McpAuthStatus;`
			`use reqwest::Client;`
			`use reqwest::StatusCode;`
			`use reqwest::Url;`
[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`use reqwest::header::HeaderMap;`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00			`use serde::Deserialize;`
			`use tracing::debug;`

			`use crate::OAuthCredentialsStoreMode;`
			`use crate::oauth::has_oauth_tokens;`
[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`use crate::utils::apply_default_headers;`
			`use crate::utils::build_default_headers;`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00
			`const DISCOVERY_TIMEOUT: Duration = Duration::from_secs(5);`
			`const OAUTH_DISCOVERY_HEADER: &str = "MCP-Protocol-Version";`
			`const OAUTH_DISCOVERY_VERSION: &str = "2024-11-05";`

			`/// Determine the authentication status for a streamable HTTP MCP server.`
			`pub async fn determine_streamable_http_auth_status(`
			`server_name: &str,`
			`url: &str,`
			`bearer_token_env_var: Option<&str>,`
[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`http_headers: Option<HashMap<String, String>>,`
			`env_http_headers: Option<HashMap<String, String>>,`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00			`store_mode: OAuthCredentialsStoreMode,`
			`) -> Result<McpAuthStatus> {`
			`if bearer_token_env_var.is_some() {`
			`return Ok(McpAuthStatus::BearerToken);`
			`}`

			`if has_oauth_tokens(server_name, url, store_mode)? {`
			`return Ok(McpAuthStatus::OAuth);`
			`}`

[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`let default_headers = build_default_headers(http_headers, env_http_headers)?;`

			`match supports_oauth_login_with_headers(url, &default_headers).await {`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00			`Ok(true) => Ok(McpAuthStatus::NotLoggedIn),`
			`Ok(false) => Ok(McpAuthStatus::Unsupported),`
			`Err(error) => {`
			`debug!(`
			"failed to detect OAuth support for MCP server `{server_name}` at {url}: {error:?}"
			`);`
			`Ok(McpAuthStatus::Unsupported)`
			`}`
			`}`
			`}`

			`/// Attempt to determine whether a streamable HTTP MCP server advertises OAuth login.`
[MCP] Prompt `mcp login` when adding a streamable HTTP server that supports oauth (#5193) 1. If Codex detects that a `codex mcp add -url …` server supports oauth, it will auto-initiate the login flow. 2. If the TUI starts and a MCP server supports oauth but isn't logged in, it will give the user an explicit warning telling them to log in. 2025-10-15 09:27:40 -07:00			`pub async fn supports_oauth_login(url: &str) -> Result<bool> {`
[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`supports_oauth_login_with_headers(url, &HeaderMap::new()).await`
			`}`

			`async fn supports_oauth_login_with_headers(url: &str, default_headers: &HeaderMap) -> Result<bool> {`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00			`let base_url = Url::parse(url)?;`
[MCP] Allow specifying custom headers with streamable http servers (#5241) This adds two new config fields to streamable http mcp servers: `http_headers`: a map of key to value `env_http_headers` a map of key to env var which will be resolved at request time All headers will be passed to all MCP requests to that server just like authorization headers. There is a test ensuring that headers are not passed to other servers. Fixes #5180 2025-10-16 20:15:47 -07:00			`let builder = Client::builder().timeout(DISCOVERY_TIMEOUT);`
			`let client = apply_default_headers(builder, default_headers).build()?;`
[MCP] Add auth status to MCP servers (#4918) This adds a queryable auth status for MCP servers which is useful: 1. To determine whether a streamable HTTP server supports auth or not based on whether or not it supports RFC 8414-3.2 2. Allow us to build a better user experience on top of MCP status 2025-10-08 14:37:57 -07:00
			`let mut last_error: Option<Error> = None;`
			`for candidate_path in discovery_paths(base_url.path()) {`
			`let mut discovery_url = base_url.clone();`
			`discovery_url.set_path(&candidate_path);`

			`let response = match client`
			`.get(discovery_url.clone())`
			`.header(OAUTH_DISCOVERY_HEADER, OAUTH_DISCOVERY_VERSION)`
			`.send()`
			`.await`
			`{`
			`Ok(response) => response,`
			`Err(err) => {`
			`last_error = Some(err.into());`
			`continue;`
			`}`
			`};`

			`if response.status() != StatusCode::OK {`
			`continue;`
			`}`

			`let metadata = match response.json::<OAuthDiscoveryMetadata>().await {`
			`Ok(metadata) => metadata,`
			`Err(err) => {`
			`last_error = Some(err.into());`
			`continue;`
			`}`
			`};`

			`if metadata.authorization_endpoint.is_some() && metadata.token_endpoint.is_some() {`
			`return Ok(true);`
			`}`
			`}`

			`if let Some(err) = last_error {`
			`debug!("OAuth discovery requests failed for {url}: {err:?}");`
			`}`

			`Ok(false)`
			`}`

			`#[derive(Debug, Deserialize)]`
			`struct OAuthDiscoveryMetadata {`
			`#[serde(default)]`
			`authorization_endpoint: Option<String>,`
			`#[serde(default)]`
			`token_endpoint: Option<String>,`
			`}`

			`/// Implements RFC 8414 section 3.1 for discovering well-known oauth endpoints.`
			`/// This is a requirement for MCP servers to support OAuth.`
			`/// https://datatracker.ietf.org/doc/html/rfc8414#section-3.1`
			`/// https://github.com/modelcontextprotocol/rust-sdk/blob/main/crates/rmcp/src/transport/auth.rs#L182`
			`fn discovery_paths(base_path: &str) -> Vec<String> {`
			`let trimmed = base_path.trim_start_matches('/').trim_end_matches('/');`
			`let canonical = "/.well-known/oauth-authorization-server".to_string();`

			`if trimmed.is_empty() {`
			`return vec![canonical];`
			`}`

			`let mut candidates = Vec::new();`
			`let mut push_unique = \|candidate: String\| {`
			`if !candidates.contains(&candidate) {`
			`candidates.push(candidate);`
			`}`
			`};`

			`push_unique(format!("{canonical}/{trimmed}"));`
			`push_unique(format!("/{trimmed}/.well-known/oauth-authorization-server"));`
			`push_unique(canonical);`

			`candidates`
			`}`