Skip to content

Fix MCP instance OAuth redirects#21

Merged
hbanerjee74 merged 3 commits into
mainfrom
fix/mcp-instance-oauth-redirect-authz
Jul 3, 2026
Merged

Fix MCP instance OAuth redirects#21
hbanerjee74 merged 3 commits into
mainfrom
fix/mcp-instance-oauth-redirect-authz

Conversation

@hbanerjee74

Copy link
Copy Markdown

Summary

  • preserve MCP catalog header contracts in typed conversions and catalog sync tests
  • add the MCP server instance OAuth URL route used by Studio to start downstream OAuth
  • allow the matching MCP instance OAuth redirect route through authz for owned instances

Why

Studio's real-Obot MCP setup flow creates per-user MCP server instances and then drives downstream OAuth through Obot. The route exists and the browser journey reaches it, but the OAuth redirect request is denied unless the authz resource map recognizes /api/mcp-server-instances/{id}/oauth-redirect as an owned MCP server instance action.

Validation

  • go test ./pkg/api/authz -count=1
  • Studio focused integration with locally built Obot image: OBOT_IMAGE=obot-vibedata:local-test npx playwright test --config config/playwright/playwright.backed.config.ts tests/e2e/journeys/backed/mcp-real-obot-backed.journey.spec.ts -g 'drives setup, OAuth, unsupported, and disconnect paths against real Obot'

Release note

After this merges, the Build and Push obot-vibedata workflow should publish a new ghcr.io/accelerate-data/obot-vibedata:latest digest. Studio then needs to run npm run obot:image:bump and rerun the Obot-focused gates against the new pinned digest.

@hbanerjee74 hbanerjee74 merged commit 4ee57c8 into main Jul 3, 2026
3 of 4 checks passed
@hbanerjee74 hbanerjee74 deleted the fix/mcp-instance-oauth-redirect-authz branch July 3, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant