MCP Support Regression in Upstream Dependency

[lattwood]

What version of Codex CLI is running?

9efb7f4

codex --version
codex-cli 0.0.0

What subscription do you have?

API

Which model were you using?

N/A

What platform is your computer?

N/A

What terminal emulator and version are you using (if applicable)?

N/A

What issue are you seeing?

In RMCP 0.13 & 0.14, they accidentally didn't include the 4th fallback OAuth option- falling back to /.well-known/oauth-authorization-server. It was reported here, modelcontextprotocol/rust-sdk#632 and was fixed in modelcontextprotocol/rust-sdk#641 but they didn't cut a backport release and it's only fixed in 0.15.

Unfortunately, they didn't backport the fix to 0.14, and 0.15 includes changes to Elicitation handling that require changes to Codex's MCP support (otherwise I'd open a PR for the fix).

Functionally, this means you can't use the Cloudflare MCP server, or arguably any MCP server hosted on Cloudflare workers if they're using the same OAuth library as the CF hosted MCP server.

What steps can reproduce the bug?

Add a Cloudflare MCP server to ~/.codex/config.toml without configuring any headers/bearer authentication. Try running codex mcp login cloudflare.

> codex mcp login cloudflare
Error: No authorization support detected

What is the expected behavior?

It should kick off OAuth appropriately.

Additional information

I cloned modelcontextprotocol/rust-sdk @ 0.14, did patch -p1 with the commit where they added the additionaly URL, built Codex CLI locally, and it worked!

 > codex mcp login cloudflare
Authorize `cloudflare` by opening this URL in your browser:
https://dns-analytics.mcp.cloudflare.com/oauth/authorize?response_type=code&client_id=REDACTED&state=REDACTED&code_challenge=REDACTED&code_challenge_method=REDACTED&redirect_uri=http%3A%2F%2F127.0.0.1%3A57488%2Fcallback

Successfully logged in to MCP server 'cloudflare'.

[etraut-openai]

Thanks for the bug report and the analysis. Since this appears to have limited impact (the cloudflare MCP server), and the fix will potentially require a fair amount of work with potential regression risk, it might be a while before we get to this one. If we receive reports that this affects other popular MCP servers, we could bump it in the priority queue. Just want to set expectations.

[mike-hearn]

I'm not sure if this is the same issue, but I'm seeing that the Jira/Atlassian MCP is not working in 0.99.0 while it was working in 0.98.0:

~/.codex took 9s
❯ bun x @openai/codex@0.98.0 mcp login jira
Authorize `jira` by opening this URL in your browser:
https://mcp.atlassian.com/v1/authorize?response_type=code&client_id=<secrets elided>

Successfully logged in to MCP server 'jira'.

~/.codex took 8s
❯ bun x @openai/codex@0.99.0 mcp login jira
Error: No authorization support detected

[ingen-philip]

@openai/codex 0.99.0 breaks Linear MCP auth as well:

0.98.0:

$ bun x @openai/codex@0.98.0 mcp login linear
Authorize `linear` by opening this URL in your browser:
https://mcp.linear.app/authorize?response_type=code&client_id=...

Successfully logged in to MCP server 'linear'.

0.99.0:

$ bun x @openai/codex@0.99.0 mcp login linear
Error: No authorization support detected

[etraut-openai]

OK, it sounds like this has broader impact and is something that we need to prioritize. Thanks for the reports.

[etraut-openai]

PR is posted

[lattwood]

Thanks Eric!

[xavierstampslafont]

I was giving Codex a try and thought I had misconfigured Atlassian's MCP 😅 Downgraded to 0.98.0 for now until the fix is out. Thanks for being so quick on the turnaround!

[etraut-openai]

The next release (0.100.0) will fix this.