Skip to content

Add root-level OAuth discovery endpoint to prevent request hangs #673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 3 commits into from
Feb 4, 2026
Merged

Add root-level OAuth discovery endpoint to prevent request hangs #673

pelikhan merged 3 commits into from
Feb 4, 2026
+80 −4

Conversation

Copy link
Contributor

Copilot AI commented Feb 4, 2026
edited
Loading

OAuth discovery requests to /.well-known/oauth-authorization-server hang instead of returning 404, causing Codex rmcp client to timeout after 15s per server. Gateway only registers handler at /mcp/.well-known/oauth-authorization-server.

Changes

  • Route registration: Add handler at /.well-known/oauth-authorization-server in both unified (transport.go) and routed (routed.go) modes
  • Handler reuse: Both paths now use existing handleOAuthDiscovery() that returns 404
  • Test coverage: Added test cases for root-level and MCP-prefixed paths (GET/POST methods)

Implementation

// OAuth discovery endpoints - return 404 since we don't use OAuth
// Standard path for OAuth discovery (per RFC 8414)
mux.Handle("/.well-known/oauth-authorization-server", withResponseLogging(handleOAuthDiscovery()))
// MCP-prefixed path for backward compatibility
mux.Handle("/mcp/.well-known/oauth-authorization-server", withResponseLogging(handleOAuthDiscovery()))

Result: OAuth discovery now fails fast with immediate 404 instead of timing out.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: `/tmp/go-build3835057396/b270/launcher.test /tmp/go-build3835057396/b270/launcher.test -test.testlogfile=/tmp/go-build3835057396/b270/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a dler at /.well-known/oauth-authorization-server for both unified and routed modes
  • Prevents req--norc x_amd64/vet` (dns block)
  • invalid-host-that-does-not-exist-12345.com
    • Triggering command: /tmp/go-build3835057396/b258/config.test /tmp/go-build3835057396/b258/config.test -test.testlogfile=/tmp/go-build3835057396/b258/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.6/x64/src/runtime/cgo (dns block)
  • nonexistent.local
    • Triggering command: `/tmp/go-build3835057396/b270/launcher.test /tmp/go-build3835057396/b270/launcher.test -test.testlogfile=/tmp/go-build3835057396/b270/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a dler at /.well-known/oauth-authorization-server for both unified and routed modes
  • Prevents req--norc x_amd64/vet` (dns block)
  • slow.example.com
    • Triggering command: `/tmp/go-build3835057396/b270/launcher.test /tmp/go-build3835057396/b270/launcher.test -test.testlogfile=/tmp/go-build3835057396/b270/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a dler at /.well-known/oauth-authorization-server for both unified and routed modes
  • Prevents req--norc x_amd64/vet` (dns block)
  • this-host-does-not-exist-12345.com
    • Triggering command: /tmp/go-build3835057396/b279/mcp.test /tmp/go-build3835057396/b279/mcp.test -test.testlogfile=/tmp/go-build3835057396/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a 64/src/crypto/internal/boring/bbig/big.go df11d1ebad5122b89293a9cf3b8353f09e1d0c3b3841ebf6471/log.json -g" "-lresolv" ernal/sys -I 64/pkg/tool/linux_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>OAuth discovery requests hang instead of returning 404</issue_title>
<issue_description>## Summary

OAuth discovery requests to /.well-known/oauth-authorization-server hang indefinitely instead of returning a quick 404 response. This causes Codex MCP connections to timeout after 15 seconds per server.

Problem

The Codex rmcp client (Rust MCP client) attempts OAuth discovery at the standard path:

GET http://host.docker.internal/.well-known/oauth-authorization-server

But the MCP Gateway registers the OAuth handler at:

/mcp/.well-known/oauth-authorization-server

Since there's no handler at /.well-known/..., the request has no matching route and hangs instead of returning 404.

Evidence

Smoke-codex workflow run: https://github.com/github/gh-aw/actions/runs/21688558782

Error pattern:

DEBUG session_init: codex_rmcp_client::auth_status: OAuth discovery requests failed for 
http://host.docker.internal:80/mcp/playwright: error sending request for url 
(http://host.docker.internal/.well-known/oauth-authorization-server)

Caused by:
    operation timed out

Result:

  • OAuth discovery times out (15 seconds per server)
  • 4 of 6 MCP servers fail to connect
  • Only tavily and safeoutputs succeed (race condition - they complete before timeout exhausts resources)

Firewall logs confirm traffic reaches gateway:

▼ 11 requests | 11 allowed | 0 blocked | 1 unique domain
| Domain              | Allowed | Denied |
|---------------------|---------|--------|
| host.docker.internal | 11      | 0      |

Comparison with working run

In run 21653900083 (before chroot mode), using IP address 172.30.0.1, OAuth discovery was NOT attempted and all 6 MCP servers connected successfully:

ready: ["safeoutputs", "safeinputs", "github", "playwright", "tavily", "serena"]

Current Route Registration

From internal/server/transport.go:

Route Handler
/mcp/.well-known/oauth-authorization-server OAuth handler (returns 404)
/mcp/ and /mcp StreamableHTTPHandler
/health Health check
/close Graceful shutdown
/.well-known/* NO HANDLER ← causes hang

Proposed Fix

Add a handler for OAuth discovery at the standard path (without /mcp/ prefix):

// In internal/server/transport.go, add alongside existing routes:
mux.HandleFunc("/.well-known/oauth-authorization-server", func(w http.ResponseWriter, r *http.Request) {
    http.NotFound(w, r)
})

This ensures OAuth discovery requests get an immediate 404 response instead of hanging.

Impact

This fix would:

  1. Make OAuth discovery fail fast (instant 404 instead of 15s timeout)
  2. Allow all 6 MCP servers to connect successfully in Codex workflows
  3. Fix smoke-codex CI failures

Related

  • gh-aw PR github/gh-aw-mcpg#13792: Removed hardcoded IP from Codex config (firewall fix - separate issue)</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 4, 2026 22:53
@pelikhan
Add root-level OAuth discovery endpoint returning 404
54cd936 
- Add handler at /.well-known/oauth-authorization-server for both unified and routed modes
- Prevents requests from hanging by returning immediate 404 response
- Add comprehensive tests for both root and MCP-prefixed OAuth discovery paths
- Fixes timeout issues with Codex MCP client OAuth discovery attempts

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix test comment - accurately describe routed mode test setup
2b0b0a3 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix OAuth discovery requests hanging instead of returning 404 Add root-level OAuth discovery endpoint to prevent request hangs Feb 4, 2026
Copilot AI requested a review from pelikhan February 4, 2026 22:57
@pelikhan pelikhan marked this pull request as ready for review February 4, 2026 23:47
Copilot AI review requested due to automatic review settings February 4, 2026 23:47
@pelikhan pelikhan merged commit 9578bb7 into main Feb 4, 2026
9 checks passed
@pelikhan pelikhan deleted the copilot/fix-oauth-discovery-404 branch February 4, 2026 23:49
@github-actions github-actions bot mentioned this pull request Feb 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth discovery requests hang instead of returning 404

2 participants

@pelikhan