From d73055c5b15f820590ccd7846c0ad9cc897e52dc Mon Sep 17 00:00:00 2001 From: Gabriel Peal Date: Mon, 6 Oct 2025 14:41:16 -0700 Subject: [PATCH] [MCP] Fix the bearer token authorization header (#4846) `http_config.auth_header` automatically added `Bearer `. By adding it ourselves, we were sending `Bearer Bearer `. I confirmed that the GitHub MCP initialization 400s before and works now. I also optimized the oauth flow to not check the keyring if you explicitly pass in a bearer token. --- codex-rs/rmcp-client/src/rmcp_client.rs | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/codex-rs/rmcp-client/src/rmcp_client.rs b/codex-rs/rmcp-client/src/rmcp_client.rs index d19bf8fe..676af9a5 100644 --- a/codex-rs/rmcp-client/src/rmcp_client.rs +++ b/codex-rs/rmcp-client/src/rmcp_client.rs @@ -120,14 +120,17 @@ impl RmcpClient { url: &str, bearer_token: Option, ) -> Result { - let initial_tokens = match load_oauth_tokens(server_name, url) { - Ok(tokens) => tokens, - Err(err) => { - warn!("failed to read tokens for server `{server_name}`: {err}"); - None - } + let initial_oauth_tokens = match bearer_token { + Some(_) => None, + None => match load_oauth_tokens(server_name, url) { + Ok(tokens) => tokens, + Err(err) => { + warn!("failed to read tokens for server `{server_name}`: {err}"); + None + } + }, }; - let transport = if let Some(initial_tokens) = initial_tokens.clone() { + let transport = if let Some(initial_tokens) = initial_oauth_tokens.clone() { let (transport, oauth_persistor) = create_oauth_transport_and_runtime(server_name, url, initial_tokens).await?; PendingTransport::StreamableHttpWithOAuth { @@ -137,7 +140,7 @@ impl RmcpClient { } else { let mut http_config = StreamableHttpClientTransportConfig::with_uri(url.to_string()); if let Some(bearer_token) = bearer_token { - http_config = http_config.auth_header(format!("Bearer {bearer_token}")); + http_config = http_config.auth_header(bearer_token); } let transport = StreamableHttpClientTransport::from_config(http_config);