feat(diagnostics): classify OAuth login-required (MCP-1820)#628
Merged
Conversation
…tate OAuth "needs sign-in" previously fell through to MCPX_UNKNOWN_UNCLASSIFIED, which drives a misleading "file a bug" CTA, and the health calculator marked every OAuth-related error as unhealthy/red — even an expected first-time login. - Add MCPX_OAUTH_LOGIN_REQUIRED (warn) and MCPX_OAUTH_REAUTH_REQUIRED (error) codes with login-oriented catalog entries (never file-a-bug). - ErrOAuthPending.Code() attributes the typed fast-path: default/login-available message -> OAuthLoginRequired; the stored-token-broke (server-5xx) message -> OAuthReauthRequired. - classifyOAuth string backstops catch the stringified forms; re-auth is matched before login because "re-login available" contains "login available". - Health: first-time sign-in (ErrOAuthPending) -> degraded/amber + login + "Sign-in required"; re-auth and other genuine OAuth errors stay unhealthy/red. Connection-failure precedence in isOAuthRelatedError is preserved. - Docs: add docs/errors pages for both codes and list them in the catalog index. Related #MCP-1820
Deploying mcpproxy-docs with
|
| Latest commit: |
75dcefc
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://1495c3ca.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://mcp-1820-oauth-login-classif.mcpproxy-docs.pages.dev |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27221871300 --repo smart-mcp-proxy/mcpproxy-go
|
There was a problem hiding this comment.
✅ Gatekeeper approval — Codex review verdict: ACCEPT.
This approval is posted automatically by the MCPProxy Gatekeeper App on behalf of the Codex reviewer (verdict of record lives in the Paperclip review thread). Author≠approver satisfied; QA + CI gates enforced separately.
Auto-approved per Model B (MCP-1249).
Dumbris
added a commit
that referenced
this pull request
Jun 12, 2026
…P-2084) (#634) Some remote MCP endpoints (e.g. Google's sqladmin MCP) allow anonymous `initialize` + `tools/list` but enforce OAuth only at `tools/call`. The proxy connected, listed 15 tools, and the health classifier reported the server as fully healthy/Ready with no Sign-in affordance — every actual tool call failed at runtime with "authorization required", which the operator only discovered by failing a call. Root cause: the health calculator's OAuth/login branch is gated entirely on `OAuthRequired`, which is derived from connect-time OAuth config only. A server that connects anonymously has `OAuthRequired=false`, and a call-time "authorization required" is not a connection error, so the state machine stays Ready and nothing flags the server for sign-in. Fix (backend detection; reuses the existing action=login Sign-in CTA): - managed client: on a tools/call that fails with "authorization required" / 401 from an otherwise-connected server, set a per-server oauthCallRequired flag (cleared by a successful call or a fresh post-sign-in Connect). - runtime: feed the flag into the health calculator input as CallTimeOAuthRequired. - health calculator: a connected server with CallTimeOAuthRequired now returns Level=degraded, Action=login, Summary="Sign-in required" — placed after the connection-state switch so genuine error/disconnected states keep priority. This closes the gap MCP-1819 left (which only handled servers surfacing login-required at connect time). No new config keys, CLI flags, or API endpoints; the documented health contract (action=login) is unchanged. Tests: health calculator branch (+ negative: connection errors keep priority), managed-client call-time signal classification (auth vs 401 vs non-auth vs connection error). Related MCP-1819 (#628/#629/#630).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Foundation task MCP-1820 under epic MCP-1819. Makes OAuth "needs sign-in" classify correctly instead of falling through to
MCPX_UNKNOWN_UNCLASSIFIED(which drives a misleading "file a bug" CTA), and stops the health calculator from painting an expected first-time login as unhealthy/red.Changes
internal/diagnostics/codes.go— addMCPX_OAUTH_LOGIN_REQUIREDandMCPX_OAUTH_REAUTH_REQUIRED(OAUTH domain), documented as actionable user-states (NOT faults).internal/diagnostics/registry.go— catalog entries with login-oriented fix steps (Sign in / Sign in again), never file-a-bug. Login =warn, re-auth =error.internal/diagnostics/classifier.go—classifyOAuthstring backstops:"oauth authentication required","login available","mcpproxy auth login"→ login;"re-login available","re-authentication required","server error with stored token"→ re-auth. Re-auth is matched first because"re-login available"contains"login available".internal/upstream/core/connection_oauth.go—ErrOAuthPending.Code()typed fast-path: default/login-available message →OAuthLoginRequired; the stored-token-broke (server-5xx) message →OAuthReauthRequired.internal/health/calculator.go— error/disconnected branches: first-time sign-in →degraded/amber +login+"Sign-in required"; re-auth and other genuine OAuth errors (revoked /invalid_grant) stayunhealthy/red. Connection-failure precedence inisOAuthRelatedErrorpreserved (offline servers still suggest restart).docs/errors/— pages for both new codes + catalog index entries.Tests (TDD)
internal/diagnostics/classifier_test.go— both codes, typed fast-path + string backstop (incl. the re-login/login substring-ordering case).internal/upstream/core/oauth_error_test.go—ErrOAuthPending.Code()+ end-to-enddiagnostics.Classify.internal/health/calculator_test.go— login → degraded+login+"Sign-in required"; re-auth → unhealthy+login (botherroranddisconnectedstates).Verification
go build ./...— cleango test -race ./internal/diagnostics/... ./internal/health/... ./internal/upstream/... ./internal/runtime/...— all green./scripts/run-linter.sh— 0 issuesRelated #MCP-1820