core/core-agent-ide
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
core-agent-ide/codex-rs/app-server/src
History
dkumar-oai 1070a0a712
Add configurable MCP OAuth callback URL for MCP login (#11382) 
## Summary

Implements a configurable MCP OAuth callback URL override for `codex mcp
login` and app-server OAuth login flows, including support for non-local
callback endpoints (for example, devbox ingress URLs).

## What changed

- Added new config key: `mcp_oauth_callback_url` in
`~/.codex/config.toml`.
- OAuth authorization now uses `mcp_oauth_callback_url` as
`redirect_uri` when set.
- Callback handling validates the callback path against the configured
redirect URI path.
- Listener bind behavior is now host-aware:
- local callback URL hosts (`localhost`, `127.0.0.1`, `::1`) bind to
`127.0.0.1`
  - non-local callback URL hosts bind to `0.0.0.0`
- `mcp_oauth_callback_port` remains supported and is used for the
listener port.
- Wired through:
  - CLI MCP login flow
  - App-server MCP OAuth login flow
  - Skill dependency OAuth login flow
- Updated config schema and config tests.

## Why

Some environments need OAuth callbacks to land on a specific reachable
URL (for example ingress in remote devboxes), not loopback. This change
allows that while preserving local defaults for existing users.

## Backward compatibility

- No behavior change when `mcp_oauth_callback_url` is unset.
- Existing `mcp_oauth_callback_port` behavior remains intact.
- Local callback flows continue binding to loopback by default.

## Testing

- `cargo test -p codex-rmcp-client callback -- --nocapture`
- `cargo test -p codex-core --lib mcp_oauth_callback -- --nocapture`
- `cargo check -p codex-cli -p codex-app-server -p codex-rmcp-client`

## Example config

```toml
mcp_oauth_callback_port = 5555
mcp_oauth_callback_url = "https://<devbox>-<namespace>.gateway.<cluster>.internal.api.openai.org/callback"
2026-02-19 13:32:10 -08:00
..
bespoke_event_handling.rs app-server: expose loaded thread status via read/list and notifications (#11786) 2026-02-18 15:20:03 -08:00
codex_message_processor.rs Add configurable MCP OAuth callback URL for MCP login (#11382) 2026-02-19 13:32:10 -08:00
config_api.rs feat(core): add network constraints schema to requirements.toml (#10958) 2026-02-07 19:48:24 +00:00
dynamic_tools.rs fix(app-server): surface more helpful errors for json-rpc (#11638) 2026-02-13 00:14:55 +00:00
error_code.rs Reapply "Add app-server transport layer with websocket support" (#11370) 2026-02-11 18:13:39 +00:00
filters.rs [app-server] feat: add filtering on thread list (#9897) 2026-01-26 21:54:19 +00:00
fuzzy_file_search.rs [app-server] add fuzzyFileSearch/sessionCompleted (#11773) 2026-02-13 15:08:14 -08:00
lib.rs app-server: expose loaded thread status via read/list and notifications (#11786) 2026-02-18 15:20:03 -08:00
main.rs feat(core): zsh exec bridge (#12052) 2026-02-17 20:19:53 -08:00
message_processor.rs client side modelinfo overrides (#12101) 2026-02-19 10:38:57 -08:00
models.rs chore: rm remote models fflag (#11699) 2026-02-17 11:43:16 -08:00
outgoing_message.rs Feat: add model reroute notification (#12001) 2026-02-17 11:02:23 -08:00
thread_state.rs app-server: expose loaded thread status via read/list and notifications (#11786) 2026-02-18 15:20:03 -08:00
thread_status.rs app-server: expose loaded thread status via read/list and notifications (#11786) 2026-02-18 15:20:03 -08:00
transport.rs app-server: thread resume subscriptions (#11474) 2026-02-11 16:21:13 -08:00