fix: use absolute OAuth authorize URL and allow non-admin users to authorize

Olivier Gintrand · Olivier Gintrand · commit b3efbb9c26b0 · 2026-04-02T12:51:17.000+02:00
Two related fixes for OAuth UX in multi-user deployments: 1. tool_service.py: Build absolute authorize URL using settings.app_domain + settings.app_root_path instead of a relative path. AI agents (VS Code Copilot, etc.) receive clickable URLs in ToolInvocationError messages. Applied in both invoke_tool and stream_invoke_tool code paths. 2. gateways_partial.html: Decouple the OAuth Authorize button from the can_modify permission check. OAuth authorization is a per-user action (each user gets their own token), so any authenticated user with gateway access should be able to authorize. Fetch/Refresh Tools remains gated behind can_modify. Fixes #3998 Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>
diff --git a/mcpgateway/services/tool_service.py b/mcpgateway/services/tool_service.py
@@ -3159,7 +3159,8 @@ async def prepare_rust_mcp_tool_execution(
                     if access_token:
                         headers = {"Authorization": f"Bearer {access_token}"}
                     else:
-                        raise ToolInvocationError(f"Please authorize {gateway_name} first. Visit /oauth/authorize/{gateway_id_str} to complete OAuth flow.")
+                        authorize_url = f"{str(settings.app_domain).rstrip('/')}{settings.app_root_path}/oauth/authorize/{gateway_id_str}"
+                        raise ToolInvocationError(f"Please authorize {gateway_name} first. Visit {authorize_url} to complete OAuth flow.")
                 except Exception as e:
                     logger.error(f"Failed to obtain stored OAuth token for gateway {gateway_name}: {e}")
                     raise ToolInvocationError(f"OAuth token retrieval failed for gateway: {str(e)}")
@@ -4162,7 +4163,8 @@ async def invoke_tool(
                                     headers = {"Authorization": f"Bearer {access_token}"}
                                 else:
                                     # User hasn't authorized this gateway yet
-                                    raise ToolInvocationError(f"Please authorize {gateway_name} first. Visit /oauth/authorize/{gateway_id_str} to complete OAuth flow.")
+                                    authorize_url = f"{str(settings.app_domain).rstrip('/')}{settings.app_root_path}/oauth/authorize/{gateway_id_str}"
+                                    raise ToolInvocationError(f"Please authorize {gateway_name} first. Visit {authorize_url} to complete OAuth flow.")
                             except Exception as e:
                                 logger.error(f"Failed to obtain stored OAuth token for gateway {gateway_name}: {e}")
                                 raise ToolInvocationError(f"OAuth token retrieval failed for gateway: {str(e)}")
diff --git a/mcpgateway/templates/gateways_partial.html b/mcpgateway/templates/gateways_partial.html
@@ -56,8 +56,8 @@
                 class="w-full flex items-center px-4 py-2 text-sm text-gray-700 dark:text-gray-200 hover:bg-gray-100 dark:hover:bg-gray-700"
               >Test</button>
 
-              {% if gateway.authType == 'oauth' and can_modify %}
-              <!-- OAuth Authorize -->
+              {% if gateway.authType == 'oauth' %}
+              <!-- OAuth Authorize (accessible to all authenticated users with gateway access) -->
               <a
                 href="{{ root_path }}/oauth/authorize/{{ gateway.id }}"
                 @click="menuOpen = false"
