fix: advertise refresh_token grant in OAuth DCR + add Miro MCP example#3192
fix: advertise refresh_token grant in OAuth DCR + add Miro MCP example#3192aheritier wants to merge 2 commits into
Conversation
docker-agent's RFC 7591 dynamic client registration only advertised the authorization_code grant. Strict authorization servers that require clients to declare every grant they use (e.g. Miro's hosted MCP server at mcp.miro.com) reject the registration with: invalid_client_metadata: grant_types must be authorization_code and refresh_token docker-agent already uses the refresh_token grant via RefreshAccessToken, so declaring it at registration time is correct and backwards-compatible with lenient servers (Notion, Atlassian). Fixes #3191
Add examples/miro-expert.yaml demonstrating Miro's hosted MCP server (https://mcp.miro.com/) over streamable HTTP with OAuth 2.1 Dynamic Client Registration. Includes four inline board skills (browse, diagram, doc, table) adapted from Miro's own skill set, plus a link to the official docs and notes on the Enterprise-plan requirement. Registers the example in examples/README.md.
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The changes in this PR are correct and well-structured:
pkg/tools/mcp/oauth_helpers.go — The fix to advertise refresh_token alongside authorization_code in the DCR grant_types array is the right call per RFC 7591. Docker-agent already uses the refresh-token grant (RefreshAccessToken), so declaring it at registration is required for strict servers and harmless for lenient ones. No logic errors or correctness issues found.
pkg/tools/mcp/oauth_test.go — The new TestRegisterClient_GrantTypesIncludeRefreshToken test is well-structured, uses require/assert per project conventions, and correctly exercises the registration body content.
examples/miro-expert.yaml / examples/README.md — Documentation-only additions following the existing config schema and examples pattern. No issues.
aheritier
added
area/mcp
3 participants
What
Two related changes:
Fix OAuth Dynamic Client Registration (RFC 7591) to advertise both
authorization_codeandrefresh_tokengrant types. Previously onlyauthorization_codewas declared, which strict authorization servers reject during registration:docker-agent already uses the refresh-token grant (
RefreshAccessToken), so declaring it at registration is correct and backwards-compatible with lenient servers (Notion, Atlassian). Adds a regression test asserting both grants are sent.Add a Miro hosted MCP example (
examples/miro-expert.yaml) demonstrating Miro's hosted MCP server (https://mcp.miro.com/) over streamable HTTP with OAuth 2.1 DCR. Includes four inline board skills (browse / diagram / doc / table) adapted from Miro's own skill set, a link to the official docs, and notes on the Enterprise-plan requirement. Registered inexamples/README.md.Why
The Miro MCP server (and any strict OAuth MCP server) is currently unusable via docker-agent's remote MCP support. The fix unblocks it; the example documents the working configuration end to end.
Testing
task build,task test,task lintall passTestRegisterClient_GrantTypesIncludeRefreshTokencovers the fixexamples/miro-expert.yamlvalidated withdocker-agent run ... --dry-runmcp.miro.comnow completes successfullyCloses #3191