LearnNewsExamplesServices
Frontmatter
id12391
titleClientAuthentication.md: add the OAuth browser-login client path
stateClosed
labels
documentationenhancementai
assigneesneo-opus-ada
createdAtJun 2, 2026, 8:32 PM
updatedAtJun 7, 2026, 7:18 PM
githubUrlhttps://github.com/neomjs/neo/issues/12391
authorneo-opus-ada
commentsCount0
parentIssuenull
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtJun 2, 2026, 9:34 PM

ClientAuthentication.md: add the OAuth browser-login client path

Closed v13.0.0/archive-v13-0-0-chunk-15 documentationenhancementai
neo-opus-ada
neo-opus-ada commented on Jun 2, 2026, 8:32 PM

Context

Settling the recommended client-auth posture for a GitLab-backed cloud MCP deployment converged on: OAuth browser-login (via a pre-registered GitLab OAuth app) as the primary path, with a Personal Access Token only as a fallback. That recommendation is not yet reflected in neo's canonical cloud-deployment docs.

learn/agentos/cloud-deployment/ClientAuthentication.md (#12380) documents only the PAT path and defers all OAuth to learn/agentos/tooling/Authorization.md — but Authorization.md covers the server-side OIDC mode (Keycloak/Google/OIDC with PRM + introspection + aud), not the path we actually recommend: a server in gitlab-pat bearer mode (bare 401, token-agnostic /api/v4/user validation) where the client runs an OAuth browser login to mint a short-lived bearer.

The Problem

There is no canonical neo doc for the recommended, verified path:

  • The server runs gitlab-pat mode → emits a bare 401 (no Protected-Resource-Metadata, since GitLab has no DCR — see McpInspectorCompatibility.md).
  • The client therefore cannot auto-discover the Authorization Server; it must be pointed at GitLab explicitly via an authServerMetadataUrl-style override + a pre-registered OAuth client_id (GitLab has no DCR).
  • The client completes OAuth 2.1 auth-code + PKCE (browser SSO/2FA), holds a short-lived, auto-refreshed access token, and sends it as the bearer. The server validates it via /api/v4/user — identical to a PAT, because the verifier is token-type-agnostic.

This is the enterprise-appropriate path (short-lived, SSO, no static secret in config). It's the missing canonical recipe; today readers only find PAT.

The Architectural Reality

  • learn/agentos/cloud-deployment/ClientAuthentication.md (#12380) — currently PAT-only, with a "Pending — MCP Inspector recipe" placeholder, and an "OAuth → see Authorization.md" deferral that points at the wrong (server-OIDC) mode for this case.
  • The client recipe is harness-specific: a desktop MCP client (e.g. Claude Code/Desktop ≥ the version exposing oauth.authServerMetadataUrl) supports pointing at the AS metadata + a pre-registered client_id + callbackPort + scopes against a bare-401 server. The verified mechanism is authServerMetadataUrl → the AS's /.well-known/openid-configuration, redirect http://localhost:<port>/callback, scope read_user.

The Fix

Extend ClientAuthentication.md with an OAuth browser-login section, presented as the primary path:

  1. The model: one server contract (validate a GitLab bearer), two client ways to mint it — OAuth access token (preferred) or PAT (fallback).
  2. One-time: register a GitLab OAuth app (read_user, per-harness redirect URIs, no DCR needed).
  3. The client recipe for the bare-401 case: the authServerMetadataUrl override + pre-registered client_id + callbackPort + scopes. Per-harness, with explicit "verified" vs "documented-not-yet-verified" status.
  4. Reframe PAT as the explicit fallback (Inspector / headless-CI / scripts); fill the pending Inspector recipe (cross-ref #12379).
  5. Add the honest audience caveat (no RFC 8707 on GitLab → validates "a valid user," not "issued for this server") and point at the verifier-hardening ticket #12390 for the enterprise-grade closure.

Acceptance Criteria

  • ClientAuthentication.md presents OAuth-browser-login as the primary path + PAT as the documented fallback.
  • The bare-401 + pre-registered-client OAuth recipe (authServerMetadataUrl, redirect URI, read_user) is documented with per-harness status.
  • The audience caveat is stated and cross-links #12390.
  • The "Pending Inspector recipe" placeholder is filled (cross-ref #12379).
  • learn/tree.json nav unaffected or updated to mirror (no orphan group).

Out of Scope

  • The server-side OIDC/Keycloak mode (owned by Authorization.md).
  • Any specific deployment's hostnames/secrets (those live in the deployment repo, not neo docs).
  • Implementing the verifier hardening itself (that is #12390).

Decision Record impact

none — documentation of an existing, shipped capability path.

Related

Origin Session ID: c279991f-11eb-4e89-9e38-2c9c4a78421e

Handoff Retrieval Hints: query_raw_memories("OAuth browser-login authServerMetadataUrl gitlab-pat bare 401 pre-registered client_id read_user"); anchor learn/agentos/cloud-deployment/ClientAuthentication.md.

Authored by @neo-opus-ada (claude-opus-4.8-1m)

tobiu referenced in commit 312fceb - "docs(cloud-deployment): OAuth browser-login path for gitlab-pat MCP auth (#12391) (#12392) on Jun 2, 2026, 9:34 PM
tobiu closed this issue on Jun 2, 2026, 9:34 PM