Summary
OAuth login for MCP servers does not provide a way to include the RFC 8707 resource parameter in the authorization request. Some OAuth providers require resource, so the login flow fails even though the user completes authorization in the browser.
Repro
- Configure a streamable HTTP MCP server that uses OAuth and requires
resource on the authorization request.
- Run
codex mcp login <server-name>.
- The browser flow completes, but the token exchange fails (no
access_token), because the authorization URL never included resource.
Expected
Codex should allow specifying an OAuth resource value per MCP server and append it to the authorization URL when starting the login flow.
Notes
The current flow only passes scope, redirect_uri, and client_name. There is no config/CLI way to pass an OAuth resource value.
Summary
OAuth login for MCP servers does not provide a way to include the RFC 8707
resourceparameter in the authorization request. Some OAuth providers requireresource, so the login flow fails even though the user completes authorization in the browser.Repro
resourceon the authorization request.codex mcp login <server-name>.access_token), because the authorization URL never includedresource.Expected
Codex should allow specifying an OAuth resource value per MCP server and append it to the authorization URL when starting the login flow.
Notes
The current flow only passes
scope,redirect_uri, andclient_name. There is no config/CLI way to pass an OAuthresourcevalue.