Skip to content

MCP Track A Phase 3-4: enterprise TLS options and outbound OAuth PKCE #1016

Description

@Bionic711

Summary

Implement Track A Phases 3 and 4 from #1013: enterprise TLS/network diagnostics and outbound OAuth 2.1 PKCE support for MCP actions.

Scope

Phase 3: TLS and Enterprise Network Options

  • Confirm connector support before adding per-action TLS settings.
  • Prefer OS/container trust store guidance first.
  • Add optional TLS settings only if the connector stack can safely honor them.
  • Store certificate material through Key Vault or workspace identity references, not directly in additionalFields.
  • Add diagnostics for DNS/connect timeout, TLS validation failure, HTTP authentication failure, MCP initialization/list-tools failure, and tool call failure.

Phase 4: OAuth 2.1 PKCE

  • Add an MCP auth method such as oauth_pkce.
  • Add explicit OAuth fields for authorization URL, token URL, client ID, optional client secret reference, callback mode, scopes, audience/resource, and token refresh behavior.
  • Add Splunk-specific OAuth defaults where a Splunk profile is selected.
  • Implement state and PKCE verifier handling.
  • Add callback/connect/reconnect/disconnect routes using required route decorators.
  • Keep external MCP OAuth token cache separate from app sign-in MSAL cache.
  • Store refresh/access tokens securely using Key Vault/reference patterns.
  • Refresh before discovery/tool calls when expired or after 401 responses.

Acceptance Criteria

  • TLS options are only exposed if supported securely by the connector stack.
  • OAuth PKCE state and verifier handling is validated and short lived.
  • External MCP OAuth tokens are not mixed into SimpleChat sign-in token cache.
  • Tokens are stored through approved secret/reference patterns.
  • OAuth UI exposes connect, reconnect, disconnect, scope display, expiry status, and clear failure states.
  • Tests cover PKCE generation, state validation, callback validation, token exchange, refresh flow, scope pinning, Key Vault/reference storage, redaction, and refreshed-token header generation.

Notes

Parent: #1013
Planning doc: docs/explanation/features/MCP_PLUGIN_ROBUSTNESS_PLAN.md
Priority: P1
Size: L

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestsecurity_improvementThis issue results in an improvement to security

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Pending Evaluation

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions