Revert "feat: explicit OAuth configuration for remote MCP servers (#2248)"

This reverts commit 093a412.

Author: yunus25jmi1

agent-schema.json

@@ -1205,48 +1205,13 @@
           "additionalProperties": {
             "type": "string"
           }
-        },
-        "oauth": {
-          "$ref": "#/definitions/RemoteOAuthConfig",
-          "description": "Explicit OAuth configuration for remote MCP servers that do not support Dynamic Client Registration"
         }
       },
       "required": [
         "url"
       ],
       "additionalProperties": false
     },
-    "RemoteOAuthConfig": {
-      "type": "object",
-      "description": "Explicit OAuth configuration for remote MCP servers. Allows using pre-registered OAuth clients with servers that do not support Dynamic Client Registration (RFC 7591), such as the Slack MCP server.",
-      "properties": {
-        "client_id": {
-          "type": "string",
-          "description": "OAuth client ID (required for explicit OAuth)",
-          "examples": ["3660753192626.8903469228982"]
-        },
-        "client_secret": {
-          "type": "string",
-          "description": "OAuth client secret (optional, for confidential clients)"
-        },
-        "callback_port": {
-          "type": "integer",
-          "description": "Fixed port for the OAuth callback server (optional). When not specified, a random available port is used.",
-          "examples": [3118]
-        },
-        "scopes": {
-          "type": "array",
-          "description": "List of OAuth scopes to request (optional). When not specified, default scopes from the server are used.",
-          "items": {
-            "type": "string"
-          },
-          "examples": [
-            ["search:read.public", "chat:write"]
-          ]
-        }
-      },
-      "additionalProperties": false
-    },
     "ScriptShellToolConfig": {
       "type": "object",
       "description": "Configuration for custom shell tool",

examples/slack-oauth-example.yaml

@@ -624,26 +624,9 @@ func (t *Toolset) UnmarshalYAML(unmarshal func(any) error) error {
 }
 
 type Remote struct {
-	URL           string             `json:"url"`
-	TransportType string             `json:"transport_type,omitempty"`
-	Headers       map[string]string  `json:"headers,omitempty"`
-	OAuth         *RemoteOAuthConfig `json:"oauth,omitempty"`
-}
-
-// RemoteOAuthConfig represents explicit OAuth configuration for remote MCP servers.
-// This allows using pre-registered OAuth clients with servers that do not support
-// Dynamic Client Registration (RFC 7591), such as the Slack MCP server.
-type RemoteOAuthConfig struct {
-	// ClientID is the OAuth client ID (required for explicit OAuth)
-	ClientID string `json:"client_id,omitempty"`
-	// ClientSecret is the OAuth client secret (optional, for confidential clients)
-	ClientSecret string `json:"client_secret,omitempty"`
-	// CallbackPort is the fixed port for the OAuth callback server (optional)
-	// When not specified, a random available port is used
-	CallbackPort int `json:"callback_port,omitempty"`
-	// Scopes is the list of OAuth scopes to request (optional)
-	// When not specified, default scopes from the server are used
-	Scopes []string `json:"scopes,omitempty"`
+	URL           string            `json:"url"`
+	TransportType string            `json:"transport_type,omitempty"`
+	Headers       map[string]string `json:"headers,omitempty"`
 }
 
 // DeferConfig represents the deferred loading configuration for a toolset.

pkg/config/latest/types.go

@@ -362,7 +362,6 @@ func (r *RemoteRuntime) handleOAuthElicitation(ctx context.Context, req *Elicita
 		state,
 		oauth2.S256ChallengeFromVerifier(verifier),
 		serverURL,
-		nil, // scopes - use server defaults
 	)
 
 	slog.Debug("Authorization URL built", "url", authURL)

pkg/runtime/remote_runtime.go

@@ -250,16 +250,6 @@ func createMCPTool(ctx context.Context, toolset latest.Toolset, _ string, runCon
 
 		// TODO(dga): until the MCP Gateway supports oauth with docker agent, we fetch the remote url and directly connect to it.
 		if serverSpec.Type == "remote" {
-			// Check if explicit OAuth config is provided in the toolset
-			if toolset.Remote.OAuth != nil {
-				oauthConfig := &mcp.RemoteOAuthConfig{
-					ClientID:     toolset.Remote.OAuth.ClientID,
-					ClientSecret: toolset.Remote.OAuth.ClientSecret,
-					CallbackPort: toolset.Remote.OAuth.CallbackPort,
-					Scopes:       toolset.Remote.OAuth.Scopes,
-				}
-				return mcp.NewRemoteToolsetWithOAuth(toolset.Name, serverSpec.Remote.URL, serverSpec.Remote.TransportType, nil, oauthConfig), nil
-			}
 			return mcp.NewRemoteToolset(toolset.Name, serverSpec.Remote.URL, serverSpec.Remote.TransportType, nil), nil
 		}
 
@@ -301,17 +291,6 @@ func createMCPTool(ctx context.Context, toolset latest.Toolset, _ string, runCon
 		headers := expander.ExpandMap(ctx, toolset.Remote.Headers)
 		url := expander.Expand(ctx, toolset.Remote.URL, nil)
 
-		// Use explicit OAuth config if provided
-		if toolset.Remote.OAuth != nil {
-			oauthConfig := &mcp.RemoteOAuthConfig{
-				ClientID:     toolset.Remote.OAuth.ClientID,
-				ClientSecret: toolset.Remote.OAuth.ClientSecret,
-				CallbackPort: toolset.Remote.OAuth.CallbackPort,
-				Scopes:       toolset.Remote.OAuth.Scopes,
-			}
-			return mcp.NewRemoteToolsetWithOAuth(toolset.Name, url, toolset.Remote.TransportType, headers, oauthConfig), nil
-		}
-
 		return mcp.NewRemoteToolset(toolset.Name, url, toolset.Remote.TransportType, headers), nil
 
 	default:

pkg/teamloader/registry.go

@@ -20,22 +20,6 @@ import (
 	"github.com/docker/docker-agent/pkg/tools"
 )
 
-// RemoteOAuthConfig represents explicit OAuth configuration for remote MCP servers.
-// This allows using pre-registered OAuth clients with servers that do not support
-// Dynamic Client Registration (RFC 7591), such as the Slack MCP server.
-type RemoteOAuthConfig struct {
-	// ClientID is the OAuth client ID (required for explicit OAuth)
-	ClientID string
-	// ClientSecret is the OAuth client secret (optional, for confidential clients)
-	ClientSecret string
-	// CallbackPort is the fixed port for the OAuth callback server (optional)
-	// When not specified, a random available port is used
-	CallbackPort int
-	// Scopes is the list of OAuth scopes to request (optional)
-	// When not specified, default scopes from the server are used
-	Scopes []string
-}
-
 type mcpClient interface {
 	Initialize(ctx context.Context, request *mcp.InitializeRequest) (*mcp.InitializeResult, error)
 	ListTools(ctx context.Context, request *mcp.ListToolsParams) iter.Seq2[*mcp.Tool, error]
@@ -123,20 +107,6 @@ func NewRemoteToolset(name, urlString, transport string, headers map[string]stri
 	}
 }
 
-// NewRemoteToolsetWithOAuth creates a new MCP toolset from a remote MCP Server with explicit OAuth configuration.
-func NewRemoteToolsetWithOAuth(name, urlString, transport string, headers map[string]string, oauthConfig *RemoteOAuthConfig) *Toolset {
-	slog.Debug("Creating Remote MCP toolset with OAuth", "url", urlString, "transport", transport, "headers", headers)
-
-	desc := buildRemoteDescription(urlString, transport)
-	client := newRemoteClient(urlString, transport, headers, NewInMemoryTokenStore()).WithOAuthConfig(oauthConfig)
-	return &Toolset{
-		name:        name,
-		mcpClient:   client,
-		logID:       urlString,
-		description: desc,
-	}
-}
-
 // errServerUnavailable is returned by doStart when the MCP server could not be
 // reached but the error is non-fatal (e.g. EOF). The toolset is considered
 // "started" so the agent can proceed, but watchConnection must not be spawned

pkg/tools/mcp/mcp.go

@@ -161,11 +161,10 @@ func resourceMetadataFromWWWAuth(wwwAuth string) string {
 type oauthTransport struct {
 	base http.RoundTripper
 	// TODO(rumpl): remove client reference, we need to find a better way to send elicitation requests
-	client      *remoteMCPClient
-	tokenStore  OAuthTokenStore
-	baseURL     string
-	managed     bool
-	oauthConfig *RemoteOAuthConfig
+	client     *remoteMCPClient
+	tokenStore OAuthTokenStore
+	baseURL    string
+	managed    bool
 }
 
 func (t *oauthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -266,11 +265,6 @@ func (t *oauthTransport) handleManagedOAuthFlow(ctx context.Context, authServer,
 		}
 	}()
 
-	// Use explicit callback port if configured
-	if t.oauthConfig != nil && t.oauthConfig.CallbackPort > 0 {
-		callbackServer.SetPort(t.oauthConfig.CallbackPort)
-	}
-
 	if err := callbackServer.Start(); err != nil {
 		return fmt.Errorf("failed to start callback server: %w", err)
 	}
@@ -281,22 +275,17 @@ func (t *oauthTransport) handleManagedOAuthFlow(ctx context.Context, authServer,
 	var clientID string
 	var clientSecret string
 
-	// Use explicit OAuth credentials if provided, otherwise attempt dynamic registration
-	if t.oauthConfig != nil && t.oauthConfig.ClientID != "" {
-		slog.Debug("Using explicit OAuth client ID from configuration")
-		clientID = t.oauthConfig.ClientID
-		clientSecret = t.oauthConfig.ClientSecret
-	} else if authServerMetadata.RegistrationEndpoint != "" {
+	if authServerMetadata.RegistrationEndpoint != "" {
 		slog.Debug("Attempting dynamic client registration")
-		clientID, clientSecret, err = RegisterClient(ctx, authServerMetadata, redirectURI, t.oauthConfig.Scopes)
+		clientID, clientSecret, err = RegisterClient(ctx, authServerMetadata, redirectURI, nil)
 		if err != nil {
 			slog.Debug("Dynamic registration failed", "error", err)
-			// If explicit client ID was not provided and registration failed, return error
-			return fmt.Errorf("dynamic client registration failed and no explicit client ID provided: %w", err)
+			// TODO(rumpl): fall back to requesting client ID from user
+			return err
 		}
 	} else {
-		// No dynamic registration support and no explicit credentials
-		return errors.New("authorization server does not support dynamic client registration and no explicit OAuth credentials provided")
+		// TODO(rumpl): fall back to requesting client ID from user
+		return errors.New("authorization server does not support dynamic client registration")
 	}
 
 	state, err := GenerateState()
@@ -307,20 +296,13 @@ func (t *oauthTransport) handleManagedOAuthFlow(ctx context.Context, authServer,
 	callbackServer.SetExpectedState(state)
 	verifier := GeneratePKCEVerifier()
 
-	// Use explicit scopes if provided, otherwise use server defaults
-	scopes := authServerMetadata.ScopesSupported
-	if t.oauthConfig != nil && len(t.oauthConfig.Scopes) > 0 {
-		scopes = t.oauthConfig.Scopes
-	}
-
 	authURL := BuildAuthorizationURL(
 		authServerMetadata.AuthorizationEndpoint,
 		clientID,
 		redirectURI,
 		state,
 		oauth2.S256ChallengeFromVerifier(verifier),
 		t.baseURL,
-		scopes,
 	)
 
 	result, err := t.client.requestElicitation(ctx, &mcpsdk.ElicitParams{