Oauth flow in CE mode #347
Description
I am trying this for the first time, I don't have docker desktop and I am in WSL. I have docker-credential-pass setup.
Just trying this out
> env DOCKER_MCP_USE_CE=true docker mcp oauth authorize notion-remote
Starting OAuth authorization for notion-remote...
- Using credential helper: docker-credential-pass
Checking DCR registration...
- DCR client already registered for notion-remote (clientID: iIVK4..)
OAuth callback server bound to localhost:5000
Generating authorization URL...
- Callback server listening on http://localhost:5000/callback
- State format for proxy: mcp-gateway:5000:UUID
- Adding resource parameter: https://mcp.notion.com
- Generated authorization URL for notion-remote with PKCE
Please visit this URL to authorize:
https://mcp.notion.com/authorize?access_type=offline&client_id=iIVK4...&code_challenge=hL2Zv..&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fmcp.docker.com%2Foauth%2Fcallback&resource=https%3A%2F%2Fmcp.notion.com&response_type=code&state=mcp-gateway%3A5000%3A644d4d31-accd-47bd-bcf3-b7446867d388
Waiting for authorization callback on http://localhost:5000/callback...I then get through the flow. But nothing happens. The port is open and reachable from windows. The issue appears that the callback is not local, but a proxy at https://mcp.docker.com/oauth/callback?code=feb452ba... who then return a 302 with a location of docker-desktop://external-oauth2/exchange?code=feb452ba..&state=mcp-gateway%3A50...
Is this expected? should the callback be proxied to https://mcp.docker.com/oauth at all in CE mode? Or should mcp.docker.com/oauth be told not to use docker-desktop:// in this case?
I can sort of get further by manually changing the &redirect_uri param, but then get
- Received OAuth callback with code and state
Exchanging authorization code for access token...
token exchange failed: invalid state parameter: invalid state parameter
in the cli.