Skip to content

Commit 2b301de

Browse files
docs: add comprehensive OAuth server states and troubleshooting guide
Enhanced docs/oauth-zero-config.md with detailed documentation for: 1. Server States Section: - Connected states: ready (authenticated), connected (no token) - Waiting states: pending_auth (normal waiting state, not an error) - Transitional states: connecting, authenticating - Error states: disconnected, error 2. Checking Authentication Status: - How to use `mcpproxy auth status` command - Example output with emoji indicators (✅⏳❌) - Status meaning explanations 3. Troubleshooting Section with 4 Common Issues: Issue smart-mcp-proxy#1: Server Shows "Pending Auth" State - Symptoms: ⏳ icon in tray, pending_auth status - Cause: OAuth detected but user hasn't authenticated - Solution: Use `auth login` or tray "Authenticate" action - Clarification: NOT an error, intentional deferral Issue smart-mcp-proxy#2: Authentication Token Expired - Symptoms: Was working, now shows "Auth Failed" - Cause: OAuth token expired (1-24 hour lifetime) - Solution: Re-authenticate with `auth login` Issue smart-mcp-proxy#3: OAuth Detection Not Working - Symptoms: No pending_auth, just connection failures - Diagnosis: Check doctor output, logs, manual OAuth test - Common causes: Non-standard endpoints, firewall issues - Solution: Add explicit OAuth configuration Issue smart-mcp-proxy#4: OAuth Login Opens Browser But Fails - Symptoms: Browser opens, approval given, but still fails - Diagnosis: Check callback logs for authorization code - Common causes: Port conflict, timeout, firewall - Solution: Retry with debug logging 4. Diagnostic Commands Reference: - doctor: Quick OAuth detection check - auth status: View token status - upstream list: Check connection status - upstream logs: View OAuth flow logs - auth login --log-level=debug: Test with debug output - upstream list --format=json | jq: Verify OAuth config This addresses user confusion about "Pending Auth" being displayed as an error state. Documentation now clearly explains it's a normal waiting state and provides step-by-step troubleshooting for all OAuth-related issues. Related to PR smart-mcp-proxy#165: Zero-config OAuth with RFC 8707 support Task: Update documentation for OAuth server states and troubleshooting
1 parent ea7e05b commit 2b301de

1 file changed

Lines changed: 168 additions & 3 deletions

File tree

docs/oauth-zero-config.md

Lines changed: 168 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,10 +38,175 @@ For non-standard OAuth requirements:
3838

3939
See design document: `docs/designs/2025-11-27-zero-config-oauth.md`
4040

41+
## Server States
42+
43+
OAuth-capable servers in MCPProxy can be in one of these states:
44+
45+
### Connected States
46+
- **`ready`**: Server connected and authenticated (has valid, non-expired OAuth token)
47+
- **`connected`**: Server connected but not OAuth-authenticated (no token or expired token)
48+
49+
### Waiting States
50+
- **`pending_auth`**: OAuth authentication required but deferred (waiting for user action)
51+
- Occurs when OAuth server detected but user hasn't logged in yet
52+
- Server shows ⏳ icon in tray UI
53+
- Use `mcpproxy auth login --server=<name>` to authenticate
54+
- **Not an error** - this is a normal waiting state
55+
56+
### Transitional States
57+
- **`connecting`**: Server is attempting to connect
58+
- **`authenticating`**: OAuth authentication flow in progress
59+
60+
### Error States
61+
- **`disconnected`**: Server failed to connect (check logs for details)
62+
- **`error`**: Unexpected error occurred (check `last_error` field)
63+
64+
## Checking Authentication Status
65+
66+
Use the `auth status` command to view OAuth authentication state for all servers:
67+
68+
```bash
69+
mcpproxy auth status
70+
```
71+
72+
**Example output:**
73+
```
74+
Server Status Token Expiry Authenticated
75+
────────────────────────────────────────────────────────────────────────────────
76+
slack-server ✅ Authenticated 2025-12-01 15:30:00 Yes
77+
github-server ⏳ Pending Auth - No
78+
sentry-server ❌ Auth Failed Token expired No
79+
```
80+
81+
**Status meanings:**
82+
- **✅ Authenticated**: Valid OAuth token, server ready to use
83+
- **⏳ Pending Authentication**: Waiting for OAuth login (use `auth login`)
84+
- **❌ Authentication Failed**: OAuth token invalid or expired (re-authenticate required)
85+
4186
## Troubleshooting
4287

88+
### Common Issues
89+
90+
#### 1. Server Shows "Pending Auth" State
91+
92+
**Symptoms:**
93+
- Server appears with ⏳ icon in tray UI
94+
- `mcpproxy upstream list` shows `pending_auth` status
95+
- `mcpproxy auth status` shows "⏳ Pending Authentication"
96+
97+
**Cause:** OAuth-capable server detected, but user hasn't authenticated yet.
98+
99+
**Solution:**
100+
```bash
101+
# Option 1: CLI authentication
102+
mcpproxy auth login --server=<server-name>
103+
104+
# Option 2: Tray UI (recommended)
105+
# Right-click tray icon → <server-name> → "Authenticate"
106+
```
107+
108+
**Why this happens:** MCPProxy automatically detects OAuth requirements from server responses. The server is intentionally deferred (not an error) to prevent blocking daemon startup.
109+
110+
#### 2. Authentication Token Expired
111+
112+
**Symptoms:**
113+
- Server was working, now shows "❌ Auth Failed"
114+
- `auth status` shows "Token expired"
115+
- Server `authenticated` field is `false`
116+
117+
**Cause:** OAuth access token expired (typical lifetime: 1-24 hours).
118+
119+
**Solution:**
120+
```bash
121+
# Re-authenticate to get new token
122+
mcpproxy auth login --server=<server-name>
123+
```
124+
125+
**Prevention:** MCPProxy automatically refreshes tokens when possible. If auto-refresh fails, manual re-authentication is required.
126+
127+
#### 3. OAuth Detection Not Working
128+
129+
**Symptoms:**
130+
- Server requires OAuth but shows as disconnected
131+
- No "Pending Auth" state, just repeated connection failures
132+
- Logs show generic connection errors
133+
134+
**Diagnosis:**
43135
```bash
44-
./mcpproxy doctor # Check OAuth detection
45-
./mcpproxy auth status # View OAuth-capable servers
46-
./mcpproxy auth login --server=myserver --log-level=debug
136+
# Check if server is OAuth-capable
137+
mcpproxy doctor
138+
139+
# Enable debug logging to see OAuth detection
140+
mcpproxy upstream logs <server-name> --tail=100
141+
142+
# Test OAuth flow manually with debug logs
143+
mcpproxy auth login --server=<server-name> --log-level=debug
144+
```
145+
146+
**Common causes:**
147+
- Server doesn't return proper 401 with `WWW-Authenticate` header
148+
- Server uses non-standard OAuth endpoints (need manual config)
149+
- Network/firewall blocking OAuth metadata endpoint
150+
151+
**Solution:** Add explicit OAuth configuration:
152+
```json
153+
{
154+
"name": "custom-server",
155+
"url": "https://api.example.com/mcp",
156+
"oauth": {
157+
"client_id": "your-client-id",
158+
"client_secret": "your-client-secret",
159+
"auth_url": "https://oauth.example.com/authorize",
160+
"token_url": "https://oauth.example.com/token",
161+
"scopes": ["mcp.read", "mcp.write"]
162+
}
163+
}
164+
```
165+
166+
#### 4. OAuth Login Opens Browser But Fails
167+
168+
**Symptoms:**
169+
- Browser opens with OAuth prompt
170+
- After approving, shows "Success" page
171+
- But server still shows "Pending Auth" or "Auth Failed"
172+
173+
**Diagnosis:**
174+
```bash
175+
# Check if callback server received authorization code
176+
mcpproxy upstream logs <server-name> --tail=50 | grep -i "oauth\|callback"
177+
```
178+
179+
**Common causes:**
180+
- Callback server port conflict (rare with dynamic allocation)
181+
- OAuth callback timeout (took > 5 minutes to approve)
182+
- Network/firewall blocking loopback connections
183+
184+
**Solution:**
185+
```bash
186+
# Retry with extended timeout and debug logging
187+
mcpproxy auth login --server=<server-name> --log-level=debug
188+
189+
# If persistent, check firewall rules for 127.0.0.1 loopback
190+
```
191+
192+
### Diagnostic Commands
193+
194+
```bash
195+
# Quick OAuth detection check
196+
mcpproxy doctor
197+
198+
# View all OAuth-capable servers and token status
199+
mcpproxy auth status
200+
201+
# Check server connection status
202+
mcpproxy upstream list
203+
204+
# View OAuth flow logs for specific server
205+
mcpproxy upstream logs <server-name> --tail=100 --follow
206+
207+
# Test OAuth authentication with debug output
208+
mcpproxy auth login --server=<server-name> --log-level=debug
209+
210+
# Verify OAuth configuration extraction
211+
mcpproxy upstream list --format=json | jq '.[] | select(.name=="<server-name>") | .oauth'
47212
```

0 commit comments

Comments
 (0)