Skip to content

MCP OAuth login cannot pass RFC 8707 resource parameter #12762

New issue
New issue
Closed as duplicate of#12589
Closed as duplicate of#12589
MCP OAuth login cannot pass RFC 8707 resource parameter#12762
Labels
CLIIssues related to the Codex CLIauthIssues related to authentication and accountsenhancementNew feature or requestmcpIssues related to the use of model context protocol (MCP) servers
@xrmzju

Description

@xrmzju
xrmzju
opened on Feb 25, 2026

Summary

OAuth login for MCP servers does not provide a way to include the RFC 8707 resource parameter in the authorization request. Some OAuth providers require resource, so the login flow fails even though the user completes authorization in the browser.

Repro

  1. Configure a streamable HTTP MCP server that uses OAuth and requires resource on the authorization request.
  2. Run codex mcp login <server-name>.
  3. The browser flow completes, but the token exchange fails (no access_token), because the authorization URL never included resource.

Expected

Codex should allow specifying an OAuth resource value per MCP server and append it to the authorization URL when starting the login flow.

Notes

The current flow only passes scope, redirect_uri, and client_name. There is no config/CLI way to pass an OAuth resource value.

Metadata

Metadata

Assignees

No one assigned

    Labels

    CLIIssues related to the Codex CLIauthIssues related to authentication and accountsenhancementNew feature or requestmcpIssues related to the use of model context protocol (MCP) servers

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions