Merge pull request #166 from saucow/oauth-notification-refresh-flows

OAuth token event monitoring + refresh

Author: slimslenderslacks

cmd/docker-mcp/oauth/revoke.go

@@ -4,30 +4,35 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/docker/mcp-gateway/pkg/catalog"
 	"github.com/docker/mcp-gateway/pkg/desktop"
 )
 
 func Revoke(ctx context.Context, app string) error {
 	client := desktop.NewAuthClient()
 
-	// Check if this is a DCR provider
-	dcrClient, err := client.GetDCRClient(ctx, app)
-	if err == nil && dcrClient.State != "" {
-		// Handle UNREGISTERED providers - they don't have tokens yet
-		if dcrClient.State == "unregistered" {
-			return fmt.Errorf("provider %s is not authenticated yet - nothing to revoke", app)
-		}
+	// Get catalog to check if this is a remote OAuth server
+	catalogData, err := catalog.GetWithOptions(ctx, true, nil)
+	if err != nil {
+		return fmt.Errorf("failed to get catalog: %w", err)
+	}
+
+	server, found := catalogData.Servers[app]
+	isRemoteOAuth := found && server.IsRemoteOAuthServer()
+
+	fmt.Printf("Revoking OAuth access for %s...\n", app)
+
+	// Revoke tokens
+	if err := client.DeleteOAuthApp(ctx, app); err != nil {
+		return fmt.Errorf("failed to revoke OAuth access: %w", err)
+	}
 
-		// REGISTERED DCR provider - revoke tokens but preserve DCR client for re-auth
-		fmt.Printf("Revoking OAuth access for %s...\n", app)
-		if err := client.DeleteOAuthApp(ctx, app); err != nil {
-			return fmt.Errorf("failed to revoke OAuth access for %s: %w", app, err)
+	// For remote OAuth servers, also delete DCR client
+	if isRemoteOAuth {
+		if err := client.DeleteDCRClient(ctx, app); err != nil {
+			return fmt.Errorf("failed to remove DCR client: %w", err)
 		}
-		fmt.Printf("OAuth access revoked for %s\n", app)
-		fmt.Printf("Note: DCR client registration preserved. Run 'docker mcp oauth authorize %s' to re-authenticate\n", app)
-		return nil
 	}
 
-	// Built-in OAuth provider - just revoke tokens
-	return client.DeleteOAuthApp(ctx, app)
+	return nil
 }

cmd/docker-mcp/server/enable.go

@@ -9,27 +9,11 @@ import (
 
 	"github.com/docker/mcp-gateway/pkg/catalog"
 	"github.com/docker/mcp-gateway/pkg/config"
-	"github.com/docker/mcp-gateway/pkg/desktop"
 	"github.com/docker/mcp-gateway/pkg/docker"
+	"github.com/docker/mcp-gateway/pkg/oauth"
 )
 
 func Disable(ctx context.Context, docker docker.Client, serverNames []string, mcpOAuthDcrEnabled bool) error {
-	// Get catalog including user-configured catalogs to find OAuth-enabled remote servers for DCR cleanup
-	catalog, err := catalog.GetWithOptions(ctx, true, nil)
-	if err != nil {
-		return fmt.Errorf("failed to get catalog: %w", err)
-	}
-
-	// Clean up OAuth for disabled servers first
-	for _, serverName := range serverNames {
-		if server, found := catalog.Servers[serverName]; found {
-			// Three-condition check: DCR flag enabled AND type="remote" AND oauth present
-			if mcpOAuthDcrEnabled && server.IsRemoteOAuthServer() {
-				cleanupOAuthForRemoteServer(ctx, serverName)
-			}
-		}
-	}
-
 	return update(ctx, docker, nil, serverNames, mcpOAuthDcrEnabled)
 }
 
@@ -76,7 +60,7 @@ func update(ctx context.Context, docker docker.Client, add []string, remove []st
 
 			// Three-condition check: DCR flag enabled AND type="remote" AND oauth present
 			if mcpOAuthDcrEnabled && server.IsRemoteOAuthServer() {
-				if err := registerProviderForLazySetup(ctx, serverName); err != nil {
+				if err := oauth.RegisterProviderForLazySetup(ctx, serverName); err != nil {
 					fmt.Printf("Warning: Failed to register OAuth provider for %s: %v\n", serverName, err)
 					fmt.Printf("   You can run 'docker mcp oauth authorize %s' later to set up authentication.\n", serverName)
 				} else {
@@ -112,71 +96,3 @@ func update(ctx context.Context, docker docker.Client, add []string, remove []st
 
 	return nil
 }
-
-// registerProviderForLazySetup registers a provider for lazy DCR setup
-// This shows the provider in the OAuth tab immediately without doing network calls
-func registerProviderForLazySetup(ctx context.Context, serverName string) error {
-	client := desktop.NewAuthClient()
-
-	// Check if DCR client already exists to avoid double-registration
-	_, err := client.GetDCRClient(ctx, serverName)
-	if err == nil {
-		// Provider already registered, no need to register again
-		return nil
-	}
-
-	// Get catalog to extract provider name
-	catalog, err := catalog.GetWithOptions(ctx, true, nil)
-	if err != nil {
-		return fmt.Errorf("failed to get catalog: %w", err)
-	}
-
-	server, found := catalog.Servers[serverName]
-	if !found {
-		return fmt.Errorf("server %s not found in catalog", serverName)
-	}
-
-	// Extract provider name from OAuth config
-	if server.OAuth == nil || len(server.OAuth.Providers) == 0 {
-		return fmt.Errorf("server %s has no OAuth providers configured", serverName)
-	}
-
-	providerName := server.OAuth.Providers[0].Provider // Use first provider
-
-	fmt.Printf("Configuring OAuth provider %s (provider: %s) for authentication...\n", serverName, providerName)
-
-	// Use the existing DCR endpoint with pending=true to register provider without DCR
-	dcrRequest := desktop.RegisterDCRRequest{
-		ProviderName: providerName,
-	}
-
-	if err := client.RegisterDCRClientPending(ctx, serverName, dcrRequest); err != nil {
-		return fmt.Errorf("failed to register pending DCR provider: %w", err)
-	}
-
-	return nil
-}
-
-// cleanupOAuthForRemoteServer removes OAuth provider and DCR client for clean slate UX
-// This ensures disabled servers disappear completely from the Docker Desktop OAuth tab
-func cleanupOAuthForRemoteServer(ctx context.Context, serverName string) {
-	client := desktop.NewAuthClient()
-
-	fmt.Printf("Cleaning up OAuth for %s...\n", serverName)
-
-	// 1. Revoke OAuth tokens (idempotent - fails gracefully if not exists)
-	if err := client.DeleteOAuthApp(ctx, serverName); err != nil {
-		fmt.Printf("   • No OAuth tokens to revoke\n")
-	} else {
-		fmt.Printf("   • OAuth tokens revoked\n")
-	}
-
-	// 2. Delete DCR client data (idempotent - fails gracefully if not exists)
-	if err := client.DeleteDCRClient(ctx, serverName); err != nil {
-		fmt.Printf("   • No DCR client to remove\n")
-	} else {
-		fmt.Printf("   • DCR client data removed\n")
-	}
-
-	fmt.Printf("OAuth cleanup complete for %s\n", serverName)
-}

pkg/desktop/auth.go

@@ -52,6 +52,17 @@ func (c *Tools) ListOAuthApps(ctx context.Context) ([]OAuthApp, error) {
 	return result, err
 }
 
+func (c *Tools) GetOAuthApp(ctx context.Context, app string) (*OAuthApp, error) {
+	AvoidResourceSaverMode(ctx)
+
+	var result OAuthApp
+	err := c.rawClient.Get(ctx, fmt.Sprintf("/apps/%v", app), &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
 func (c *Tools) PostOAuthApp(ctx context.Context, app, scopes string, disableAutoOpen bool) (AuthResponse, error) {
 	AvoidResourceSaverMode(ctx)
 

pkg/gateway/configuration.go

@@ -6,7 +6,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@@ -106,11 +105,6 @@ type FileBasedConfiguration struct {
 	docker docker.Client
 }
 
-// isDCRFeatureEnabled checks if the mcp-oauth-dcr feature is enabled
-func (c *FileBasedConfiguration) isDCRFeatureEnabled() bool {
-	return c.McpOAuthDcrEnabled
-}
-
 func (c *FileBasedConfiguration) Read(ctx context.Context) (Configuration, chan Configuration, func() error, error) {
 	configuration, err := c.readOnce(ctx)
 	if err != nil {
@@ -214,19 +208,6 @@ func (c *FileBasedConfiguration) Read(ctx context.Context) (Configuration, chan
 		}
 	}
 
-	// Add token event file to watcher only if DCR feature is enabled
-	if c.isDCRFeatureEnabled() {
-		tokenEventPath := filepath.Join(os.Getenv("HOME"), ".docker", "mcp", TokenEventFilename)
-		if err := watcher.Add(tokenEventPath); err != nil && !os.IsNotExist(err) {
-			log(fmt.Sprintf("DCR: Warning - Could not watch token event file %s: %v", tokenEventPath, err))
-			// Don't fail configuration loading if token event file can't be watched
-		} else {
-			log(fmt.Sprintf("DCR: Watching token event file: %s", tokenEventPath))
-		}
-	} else {
-		log("DCR: Token event file watching disabled (mcp-oauth-dcr feature inactive)")
-	}
-
 	return configuration, updates, watcher.Close, nil
 }
 

pkg/gateway/dynamic_mcps.go

@@ -18,6 +18,7 @@ import (
 	"go.opentelemetry.io/otel/metric"
 
 	"github.com/docker/mcp-gateway/pkg/catalog"
+	"github.com/docker/mcp-gateway/pkg/oauth"
 	"github.com/docker/mcp-gateway/pkg/oci"
 	"github.com/docker/mcp-gateway/pkg/telemetry"
 )
@@ -287,6 +288,17 @@ func (g *Gateway) createMcpAddTool(clientConfig *clientConfig) *ToolRegistration
 			return nil, fmt.Errorf("failed to reload configuration: %w", err)
 		}
 
+		// Register DCR client and start OAuth provider if this is a remote OAuth server
+		if g.McpOAuthDcrEnabled {
+			// Register DCR client with DD so user can authorize
+			if err := oauth.RegisterProviderForLazySetup(ctx, serverName); err != nil {
+				logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+			}
+
+			// Start provider
+			g.startProvider(ctx, serverName)
+		}
+
 		return &mcp.CallToolResult{
 			Content: []mcp.Content{&mcp.TextContent{
 				Text: fmt.Sprintf("Successfully added server '%s'. Assume that it is fully configured and ready to use.", serverName),
@@ -350,6 +362,11 @@ func (g *Gateway) createMcpRemoveTool() *ToolRegistration {
 		// Update the current configuration state
 		g.configuration.serverNames = updatedServerNames
 
+		// Stop OAuth provider if this is an OAuth server
+		if g.McpOAuthDcrEnabled {
+			g.stopProvider(serverName)
+		}
+
 		if err := g.removeServerConfiguration(ctx, serverName); err != nil {
 			return nil, fmt.Errorf("failed to remove server configuration: %w", err)
 		}