Add callback ids to local MCP OAuth redirects

[stevenlee-oai]

Summary

• Add a deterministic callback-id path segment to local MCP OAuth redirect URIs before starting authorization.
• Derive the callback id from the MCP server URL origin and encode it as a 12-character URL-safe hash.
• Reuse the existing exact callback-path validation so OAuth completion only succeeds on the callback path that was sent in the redirect URI.

Context

That thread calls out the OAuth mix-up class of issue for MCP servers. The connector/App Connect flow already has a callback_id concept that binds the OAuth callback URL to the MCP app/server identity. Codex desktop's local MCP OAuth flow was still using a generic local callback path like /callback, so this PR adds the same shape to the shared local MCP OAuth helper.

Behavior

Before this change, local MCP OAuth used:

• default local callback URL: http://127.0.0.1:<port>/callback
• configured callback URL: <configured callback URL> unchanged

After this change, Codex appends a deterministic callback-id segment:

• default local callback URL: http://127.0.0.1:<port>/callback/<callback_id>
• configured callback URL: <configured callback path>/<callback_id>

The local callback server already compares the incoming request path against the path from the redirect URI. By appending the callback id before both authorization and callback validation, callbacks that arrive on the old generic path or a mismatched callback-id path are rejected.

The change lives in codex-rmcp-client, so it covers both the normal desktop MCP OAuth login path and silent/plugin-triggered MCP OAuth login paths that use the same perform_oauth_login_* helpers.

Scope and non-goals

• This does not change the app-server protocol or desktop webview request shape.
• This does not implement RFC 9207 iss validation; issuer validation is still useful when providers return iss.
• This does not make arbitrary untrusted MCP servers safe to use. It specifically adds callback URL binding for the local MCP OAuth flow.

Validation

• cargo fmt --all
• cargo test -p codex-rmcp-client perform_oauth_login

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c128f82bdb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include endpoint path when deriving callback IDs

callback_id_from_server_url hashes only {scheme, host, port} and drops the MCP endpoint path. Two different MCP servers hosted on the same origin therefore receive the same callback path, so the redirect is no longer bound to a unique server identity. This weakens the stated OAuth mix-up mitigation for path-based multi-tenant deployments.

Useful? React with 👍 / 👎.

[shijie-oai]

this sounds useful? but I doubt the chance of collision is hight (multiple auth flow at the same time)