Conversation
Updates the MCP server documentation to include ChatGPT as a supported client and adds comprehensive setup instructions for the Authorization Code OAuth flow. Restructures authentication section to clearly distinguish between Authorization Code flow (for ChatGPT and Claude Code) and Client Credentials flow (for VS Code and Claude Code). Key changes: - Add ChatGPT setup instructions with UI-based OAuth client creation - Add Authorization Code flow setup for Claude Code - Update status from "Closed Preview" to "Private Preview" - Reorganize authentication section with comparison table - Use AuthorizationCodeClient terminology to match UI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kimsauce
requested review from
JV0812,
amee-sumo,
jpipkin1 and
mafsumo
as code owners
kimsauce
changed the title
Add prominent note callout before Step 3 curl examples to make deployment URL requirements clearer for Preview customers reading top-to-bottom. Addresses feedback that deployment info wasn't immediately obvious. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update OAuth doc title to "OAuth Client Setup" - Restructure MCP authentication sections to be client-specific - Add deployment endpoint clarifications throughout both docs - Add tip about discovering token endpoint programmatically - Consolidate redundant content in OAuth intro Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kimsauce
changed the title
kimsauce
changed the title
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kimsauce
changed the title
kimsauce
added
doc:update
Implements feedback from auth-code-flow-docs-update-review.pdf: OAuth documentation changes: - Remove MCP server parenthetical reference from intro - Change "your application" to "an external application" in Authorization Code flow intro for clarity - Update token expiration to reference expires_in property instead of hardcoded "1 hour" - Update refresh token rotation language (always rotates, not configurable) - Remove personal access key prerequisite (OAuth clients now created via UI) - Add UI-first approach for service account ID retrieval with API as alternative - Replace curl-based OAuth client creation with UI steps for Client Credentials flow - Preserve API examples in collapsible sections for advanced users - Fix highlighted field in service account JSON response (id not modifiedAt) MCP server documentation changes: - Change "external copilots and proprietary models" to "MCP clients (external AI models)" - Remove em dashes and improve sentence structure per style guide Style fixes: - Remove all em dashes per Sumo Logic style guide - Fix hyphenation (MCP-clients → MCP clients) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kimsauce
changed the title
| 1. Copy the **Redirect URL** shown in the dialog. You'll use this when [creating your OAuth client in Sumo Logic](/docs/manage/security/oauth#authorization-code-flow). | ||
| 1. In Sumo Logic, [create an OAuth client using the Authorization Code flow](/docs/manage/security/oauth#authorization-code-flow) with the redirect URL from ChatGPT. | ||
| 1. Return to ChatGPT's Create App dialog and enter: | ||
| * **MCP Server URL**: `https://mcp.sumologic.com/mcp` |
There was a problem hiding this comment.
Probably worthwhile to make sure its clear about the deployment specific domains here.
| --client-id "<client-id>" \ | ||
| --callback-port 8888 \ | ||
| --client-secret \ | ||
| sumo-logic "https://mcp.sumologic.com/mcp" |
| ``` | ||
| 1. Launch Claude Code. | ||
| ```bash | ||
| cd /path/to/your/project |
There was a problem hiding this comment.
This might mislead people based on the above "claude mcp add" command.
The above command only adds it for claude in the directory that the command was run. So, if the user goes to another directory, then the MCP server will not show up.
To add it globally to claude so that the directory doesn't matter, then the command needs to include the "--scope user" option.
| ### Authentication | ||
|
|
||
| Use the `scope` parameter to assign specific scopes in your request, separated by spaces, not commas (for example, `"scope=viewUsersAndRoles manageCollectors runLogSearch"`). | ||
| Claude Code supports two OAuth 2.0 authentication flows: |
There was a problem hiding this comment.
My opinion and I'm curious others thoughts, but we should only cover the Authorization Code Flow for Claude. I can't see any reason why someone would use either of the Client Credentials setups once we have Authorization Code Flow released for Claude.
To be clear, we will need to leave the Client Credentials sections for VS Code because as of yet, I haven't figured out how to make that work with Authorization Code Flow.
| The token endpoint URL varies by deployment. To discover it programmatically (for example, in automation scripts), query the Authorization Server Metadata for your deployment: | ||
|
|
||
| ```bash | ||
| curl https://service.sumologic.com/.well-known/oauth-authorization-server |
There was a problem hiding this comment.
Similar question about the domains...
Maybe we should have a matrix with all of the deployments and domains?
|
|
||
| ## Security best practices | ||
|
|
||
| * **Protect client secrets**. Store client secrets securely using environment variables, secrets management systems, or encrypted configuration files. Never commit secrets to version control. |
There was a problem hiding this comment.
The clientSecret isn't a risk in the Authorization Code Flow.
| 1. Find the OAuth client you want to revoke. | ||
| 1. Click **Delete** or **Deactivate** (depending on UI options available). | ||
|
|
||
| For Client Credentials flow, you can also deactivate or delete the associated service account, which will immediately revoke all access for OAuth clients using that service account. |
There was a problem hiding this comment.
I think revoking the Authorization Consent will have a similar impact in Authorization Code Flow setup in that the next refresh of the token will fail, right? cc: @kdwink
| Yes. OAuth access tokens work with all Sumo Logic APIs. Include the access token in the `Authorization` header as a Bearer token: | ||
|
|
||
| ```bash | ||
| curl https://service.sumologic.com/api/v1/users \ |
| </details> | ||
|
|
||
| <details> | ||
| <summary>What happens if I change a service account's roles?</summary> |
There was a problem hiding this comment.
We should probably add a similar question for what happens when a users roles change with Authorization Code Flow.
@kdwink can probably provide a good explanation as he just updated how this works.
|
Hi @ganano , thanks for the thorough review! Here's what I addressed based on your feedback: docs/api/mcp-server.md
docs/manage/security/oauth.md
One thing I wasn't sure about, your line 49 comment mentioned adding a tip about how permissions are calculated specifically for Auth Code. I added that as a |
…docs - mcp-server.md: remove Client Credentials sections from Claude Code CLI setup (Auth Code flow only); add --scope user/project options to claude mcp add command; add deployment domain tips to ChatGPT and Claude sections - oauth.md: simplify Auth Code flow (replace curl steps with OAuth 2.1 spec pointer and permissions intersection tip); fix API call domains to api.sumologic.com; update security practices, revoke FAQ, and add user roles change FAQ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ganano
left a comment
ganano
left a comment
There was a problem hiding this comment.
Couple of minor comments, but otherwise lgtm.
Approving to remove myself from the review cycle.
|
|
||
| This flow uses interactive browser-based authentication. Users authorize an external application to access Sumo Logic on their behalf, and the application receives an access token to make API requests. | ||
|
|
||
| ### Create an OAuth client |
There was a problem hiding this comment.
I noticed that for the Client Credentials it lists the prerequisite of being an Administrator. That is true for the Authorization Code scenario as well.
| * The scopes assigned to the OAuth client. | ||
| * The scopes requested in the authorization request. | ||
|
|
||
| If a user's roles are restricted, their effective OAuth permissions are reduced at the next token refresh. If roles are expanded, the new permissions become available at the next token refresh. |
There was a problem hiding this comment.
Probably worth noting about if the permissions are expanded the the new permissions will become available on the next token refresh only with the permissions that have previously been "consented" to. If the permissions expand beyond the "consented", then to get a token with those permissions will require re-authenticating to the authorization server.
2 participants
Purpose of this pull request
This pull request improves the MCP server doc (currently in preview) and introduces the OAuth doc. Checked structure, clarity, and deployment endpoint guidance. Key changes include:
MCP documentation (mcp-server.md):
OAuth documentation (oauth.md):
Select the type of change
Ticket (if applicable)
https://sumologic.atlassian.net/browse/DOCS-1534