Summary
OAuth discovery requests to /.well-known/oauth-authorization-server hang indefinitely instead of returning a quick 404 response. This causes Codex MCP connections to timeout after 15 seconds per server.
Problem
The Codex rmcp client (Rust MCP client) attempts OAuth discovery at the standard path:
GET http://host.docker.internal/.well-known/oauth-authorization-server
But the MCP Gateway registers the OAuth handler at:
/mcp/.well-known/oauth-authorization-server
Since there's no handler at /.well-known/..., the request has no matching route and hangs instead of returning 404.
Evidence
Error pattern:
DEBUG session_init: codex_rmcp_client::auth_status: OAuth discovery requests failed for
http://host.docker.internal:80/mcp/playwright: error sending request for url
(http://host.docker.internal/.well-known/oauth-authorization-server)
Caused by:
operation timed out
Result:
- OAuth discovery times out (15 seconds per server)
- 4 of 6 MCP servers fail to connect
- Only tavily and safeoutputs succeed (race condition - they complete before timeout exhausts resources)
Firewall logs confirm traffic reaches gateway:
▼ 11 requests | 11 allowed | 0 blocked | 1 unique domain
| Domain | Allowed | Denied |
|---------------------|---------|--------|
| host.docker.internal | 11 | 0 |
Comparison with working run
In run 21653900083 (before chroot mode), using IP address 172.30.0.1, OAuth discovery was NOT attempted and all 6 MCP servers connected successfully:
ready: ["safeoutputs", "safeinputs", "github", "playwright", "tavily", "serena"]
Current Route Registration
From internal/server/transport.go:
| Route |
Handler |
/mcp/.well-known/oauth-authorization-server |
OAuth handler (returns 404) |
/mcp/ and /mcp |
StreamableHTTPHandler |
/health |
Health check |
/close |
Graceful shutdown |
/.well-known/* |
NO HANDLER ← causes hang |
Proposed Fix
Add a handler for OAuth discovery at the standard path (without /mcp/ prefix):
// In internal/server/transport.go, add alongside existing routes:
mux.HandleFunc("/.well-known/oauth-authorization-server", func(w http.ResponseWriter, r *http.Request) {
http.NotFound(w, r)
})This ensures OAuth discovery requests get an immediate 404 response instead of hanging.
Impact
This fix would:
- Make OAuth discovery fail fast (instant 404 instead of 15s timeout)
- Allow all 6 MCP servers to connect successfully in Codex workflows
- Fix smoke-codex CI failures
Related
- gh-aw PR #13792: Removed hardcoded IP from Codex config (firewall fix - separate issue)
Summary
OAuth discovery requests to
/.well-known/oauth-authorization-serverhang indefinitely instead of returning a quick 404 response. This causes Codex MCP connections to timeout after 15 seconds per server.Problem
The Codex rmcp client (Rust MCP client) attempts OAuth discovery at the standard path:
But the MCP Gateway registers the OAuth handler at:
Since there's no handler at
/.well-known/..., the request has no matching route and hangs instead of returning 404.Evidence
Smoke-codex workflow run: https://github.com/github/gh-aw/actions/runs/21688558782
Error pattern:
Result:
Firewall logs confirm traffic reaches gateway:
Comparison with working run
In run 21653900083 (before chroot mode), using IP address 172.30.0.1, OAuth discovery was NOT attempted and all 6 MCP servers connected successfully:
Current Route Registration
From
internal/server/transport.go:/mcp/.well-known/oauth-authorization-server/mcp/and/mcp/health/close/.well-known/*Proposed Fix
Add a handler for OAuth discovery at the standard path (without
/mcp/prefix):This ensures OAuth discovery requests get an immediate 404 response instead of hanging.
Impact
This fix would:
Related