[MCP] Prompt mcp login when adding a streamable HTTP server that supports oauth (#5193)

1. If Codex detects that a `codex mcp add -url …` server supports oauth, it will auto-initiate the login flow. 2. If the TUI starts and a MCP server supports oauth but isn't logged in, it will give the user an explicit warning telling them to log in.
2025-10-15 09:27:40 -07:00
parent e8863b233b
commit 8a281cd1f4
4 changed files with 60 additions and 11 deletions
--- a/codex-rs/cli/src/mcp_cmd.rs
+++ b/codex-rs/cli/src/mcp_cmd.rs
@@ -18,6 +18,7 @@ use codex_core::mcp::auth::compute_auth_statuses;
 use codex_core::protocol::McpAuthStatus;
 use codex_rmcp_client::delete_oauth_tokens;
 use codex_rmcp_client::perform_oauth_login;
+use codex_rmcp_client::supports_oauth_login;

 /// [experimental] Launch Codex as an MCP server or manage configured MCP servers.
 ///
@@ -190,7 +191,10 @@ impl McpCli {

 async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Result<()> {
    // Validate any provided overrides even though they are not currently applied.
-    config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let overrides = config_overrides.parse_overrides().map_err(|e| anyhow!(e))?;
+    let config = Config::load_with_cli_overrides(overrides, ConfigOverrides::default())
+        .await
+        .context("failed to load configuration")?;

    let AddArgs {
        name,
@@ -226,17 +230,21 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re
            }
        }
        AddMcpTransportArgs {
-            streamable_http: Some(streamable_http),
+            streamable_http:
+                Some(AddMcpStreamableHttpArgs {
+                    url,
+                    bearer_token_env_var,
+                }),
            ..
        } => McpServerTransportConfig::StreamableHttp {
-            url: streamable_http.url,
-            bearer_token_env_var: streamable_http.bearer_token_env_var,
+            url,
+            bearer_token_env_var,
        },
        AddMcpTransportArgs { .. } => bail!("exactly one of --command or --url must be provided"),
    };

    let new_entry = McpServerConfig {
-        transport,
+        transport: transport.clone(),
        enabled: true,
        startup_timeout_sec: None,
        tool_timeout_sec: None,
@@ -249,6 +257,17 @@ async fn run_add(config_overrides: &CliConfigOverrides, add_args: AddArgs) -> Re

    println!("Added global MCP server '{name}'.");

+    if let McpServerTransportConfig::StreamableHttp {
+        url,
+        bearer_token_env_var: None,
+    } = transport
+        && matches!(supports_oauth_login(&url).await, Ok(true))
+    {
+        println!("Detected OAuth support. Starting OAuth flow…");
+        perform_oauth_login(&name, &url, config.mcp_oauth_credentials_store_mode).await?;
+        println!("Successfully logged in.");
+    }
+
    Ok(())
 }