Summary
Implement Track A Phases 3 and 4 from #1013 : enterprise TLS/network diagnostics and outbound OAuth 2.1 PKCE support for MCP actions.
Scope
Phase 3: TLS and Enterprise Network Options
Confirm connector support before adding per-action TLS settings.
Prefer OS/container trust store guidance first.
Add optional TLS settings only if the connector stack can safely honor them.
Store certificate material through Key Vault or workspace identity references, not directly in additionalFields.
Add diagnostics for DNS/connect timeout, TLS validation failure, HTTP authentication failure, MCP initialization/list-tools failure, and tool call failure.
Phase 4: OAuth 2.1 PKCE
Add an MCP auth method such as oauth_pkce.
Add explicit OAuth fields for authorization URL, token URL, client ID, optional client secret reference, callback mode, scopes, audience/resource, and token refresh behavior.
Add Splunk-specific OAuth defaults where a Splunk profile is selected.
Implement state and PKCE verifier handling.
Add callback/connect/reconnect/disconnect routes using required route decorators.
Keep external MCP OAuth token cache separate from app sign-in MSAL cache.
Store refresh/access tokens securely using Key Vault/reference patterns.
Refresh before discovery/tool calls when expired or after 401 responses.
Acceptance Criteria
TLS options are only exposed if supported securely by the connector stack.
OAuth PKCE state and verifier handling is validated and short lived.
External MCP OAuth tokens are not mixed into SimpleChat sign-in token cache.
Tokens are stored through approved secret/reference patterns.
OAuth UI exposes connect, reconnect, disconnect, scope display, expiry status, and clear failure states.
Tests cover PKCE generation, state validation, callback validation, token exchange, refresh flow, scope pinning, Key Vault/reference storage, redaction, and refreshed-token header generation.
Notes
Parent: #1013
Planning doc: docs/explanation/features/MCP_PLUGIN_ROBUSTNESS_PLAN.md
Priority: P1
Size: L
Summary
Implement Track A Phases 3 and 4 from #1013: enterprise TLS/network diagnostics and outbound OAuth 2.1 PKCE support for MCP actions.
Scope
Phase 3: TLS and Enterprise Network Options
additionalFields.Phase 4: OAuth 2.1 PKCE
oauth_pkce.Acceptance Criteria
Notes
Parent: #1013
Planning doc:
docs/explanation/features/MCP_PLUGIN_ROBUSTNESS_PLAN.mdPriority: P1
Size: L