docs: lead local/stdio install with OAuth login#2776
Merged
Conversation
Surface OAuth 2.1 login as a first-class option above the Personal Access Token in the README install section and in every local-capable installation guide, each in that client's own config syntax, linking to the dedicated docs/oauth-login.md guide. The github.com OAuth example needs no token; in Docker it publishes a fixed callback port to loopback (-p 127.0.0.1:8085:8085). The PAT block is retained below it and noted as taking precedence over OAuth. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s installation documentation to make local/stdio OAuth login the primary auth path (ahead of Personal Access Tokens) now that OAuth login is supported for the local server, and provides copy/paste configuration blocks for multiple clients.
Changes:
- README: adds an OAuth-first local Docker configuration block and reframes the section to present OAuth as the default local auth option.
- Installation guides: add OAuth-first local Docker config blocks (client-specific syntax) with links to
docs/oauth-login.md, while retaining PAT examples as a fallback. - A few guides add short OAuth notes for cases like Xcode/native-binary where no fixed callback port is needed.
Show a summary per file
| File | Description |
|---|---|
| README.md | Adds OAuth-first local Docker config for “other IDEs” install section. |
| docs/installation-guides/install-zed.md | Adds OAuth-first local Docker config under context_servers. |
| docs/installation-guides/install-xcode.md | Adds an OAuth note covering Docker fixed-port vs native binary behavior. |
| docs/installation-guides/install-windsurf.md | Adds OAuth-first local Docker config under mcpServers. |
| docs/installation-guides/install-roo-code.md | Adds OAuth-first local Docker config for Roo Code local server setup. |
| docs/installation-guides/install-other-copilot-ides.md | Adds OAuth-first local Docker configs for Copilot in multiple IDEs. |
| docs/installation-guides/install-opencode.md | Adds OAuth-first local Docker config for OpenCode mcp settings. |
| docs/installation-guides/install-gemini-cli.md | Adds OAuth-first local Docker config and OAuth note for the native binary method. |
| docs/installation-guides/install-cursor.md | Adds OAuth-first local Docker config for Cursor. |
| docs/installation-guides/install-copilot-cli.md | Adds OAuth-first local Docker config for Copilot CLI manual configuration. |
| docs/installation-guides/install-codex.md | Adds concrete OAuth + PAT TOML examples for Codex local Docker config. |
| docs/installation-guides/install-cline.md | Adds OAuth-first local Docker config and reframes local setup as “OAuth or PAT”. |
| docs/installation-guides/install-claude.md | Adds OAuth-first local Docker command and JSON config blocks for Claude apps. |
| docs/installation-guides/install-antigravity.md | Adds OAuth-first local Docker config for Antigravity. |
Review details
- Files reviewed: 14/14 changed files
- Comments generated: 9
- Review effort level: Low
Comment on lines
+44
to
+45
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
| ### Docker Installation (Required) | ||
| **Important**: The npm package `@modelcontextprotocol/server-github` is no longer supported as of April 2025. Use the official Docker image `ghcr.io/github/github-mcp-server` instead. | ||
|
|
||
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: |
Comment on lines
+64
to
+65
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
Comment on lines
+54
to
+55
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
Comment on lines
+64
to
+65
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
Comment on lines
+48
to
+51
| Use this if you prefer a local, self-hosted instance instead of the remote HTTP server. See the [OpenAI documentation for configuration](https://developers.openai.com/codex/mcp) for the authoritative schema. | ||
|
|
||
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
Comment on lines
96
to
+99
| With Docker running, you can run the GitHub MCP server in a container: | ||
|
|
||
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
Comment on lines
+78
to
+79
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback: | ||
|
|
Comment on lines
+67
to
+68
| On github.com you can skip the token entirely: the server opens a browser login on first use and keeps the credential in memory only. In Docker, publish a fixed callback port to loopback. Run the following command in the terminal (not in Claude Code CLI): | ||
|
|
The previous "How it works" text claimed PKCE removes the need for a client secret. In practice GitHub requires the client secret at the token endpoint for both OAuth Apps and GitHub Apps, and the implementation sends it alongside the PKCE verifier (Manager.oauth2Config populates ClientSecret; flow.go exchanges with VerifierOption). The secret is baked into the distributed binary and is not truly confidential; PKCE is what actually secures the flow. Reword to reflect this accurately. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The intro line said "On github.com you can skip the token entirely", which implied OAuth login only works on github.com. OAuth works on GitHub Enterprise too — you just supply your own app credentials there. Reword to lead with OAuth as the mechanism and scope the zero-config claim correctly: on github.com the official image already includes the app credentials, so the user provides none. Enterprise / bring-your-own-app is covered by the linked OAuth guide. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Now that OAuth 2.1 login for the local/stdio server has merged, this surfaces it as a first-class authentication option above the Personal Access Token everywhere we document local installation — instead of leaving OAuth as a one-line afterthought.
8085published to loopback) above the existing PAT example, with a pointer to the OAuth guide.docs/oauth-login.md:mcpServers: cline, roo-code, windsurf, cursor, antigravity, gemini-cli, copilot-cli, claude (Code CLI / Desktop / Xcode Agent)context_servers: zedmcp(command array +environment)servers): Visual Studio, JetBrains, Xcode, EclipseAlso: correct the PKCE / client-secret explanation
docs/oauth-login.md"How it works" previously claimed PKCE removes the need for a client secret. That's inaccurate for this implementation: GitHub requires the client secret at the token endpoint for both OAuth Apps and GitHub Apps, and the code sends it alongside the PKCE verifier (Manager.oauth2ConfigpopulatesClientSecret;flow.goexchanges withVerifierOption). The secret is baked into the distributed binary and is not truly confidential — PKCE is what actually secures the flow (it binds the auth code to the login attempt so an intercepted loopback code can't be redeemed elsewhere). Reworded to reflect this.Notes
8085and publishes it to loopback only (-p 127.0.0.1:8085:8085), matching the safety guidance in the OAuth guide.install-rovo-dev-cli.mdis remote-only and intentionally left unchanged.script/generate-docsproduces no further diff (auto-generated tool sections untouched), sodocs-checkstays green. All added JSON/TOML blocks parse.Builds on the merged OAuth stack (#2704 / #2710 / #2711 / #2717).