Roo does not initiate the OAuth flow if the remote MCP server implements Authorization.

[hsuyuming]

App Version

3.25.20

API Provider

OpenAI Compatible

Model Used

Claude-sonnet-4

Roo Code Task Links (Optional)

No response

🔁 Steps to Reproduce

1. Version:
   System: Mac OS Sequoia 15.5
   Vscode version: 1.103.0 (Universal)
   Roo version 3.25.20

2. Setup Remote mcp server
   2-1 setup python env

uv venv --python=3.12.10
source .venv/bin/activate

2-2 clone latest fastmcp repo. (We need this step is because the latest auth implmentation within fastmcp haven't publish yet.)

git clone https://github.com/jlowin/fastmcp.git
cd fastmcp
uv pip install -e .
cd ..
```server.py
2-3. launch remote mcp server (Reference: https://github.com/jlowin/fastmcp/blob/0d01b74abfa2048d5b3c903fdd302cb0c647d69e/docs/integrations/azure.mdx#L106)

from fastmcp import FastMCP
from fastmcp.server.auth.providers.azure import AzureProvider

The AzureProvider handles Azure's token format and validation

auth_provider = AzureProvider(
client_id="835f09b6-0f0f-40cc-85cb-f32c5829a149", # Your Azure App Client ID
client_secret="your-client-secret", # Your Azure App Client Secret
tenant_id="08541b6e-646d-43de-a0eb-834e6713d6d5", # Your Azure Tenant ID (REQUIRED)
base_url="http://localhost:8000", # Must match your App registration
required_scopes=["User.Read", "email", "openid", "profile"], # Microsoft Graph permissions
# redirect_path="/auth/callback" # Default value, customize if needed
)

mcp = FastMCP(name="Azure Secured App", auth=auth_provider)

Add a protected tool to test authentication

@mcp.tool
async def get_user_info() -> dict:
"""Returns information about the authenticated Azure user."""
from fastmcp.server.dependencies import get_access_token

token = get_access_token()
# The AzureProvider stores user data in token claims
return {
    "azure_id": token.claims.get("sub"),
    "email": token.claims.get("email"),
    "name": token.claims.get("name"),
    "job_title": token.claims.get("job_title"),
    "office_location": token.claims.get("office_location")
}

if name == "main":
mcp.run(transport="http", port=8005)

```python
uv run server.py

3. Roo setting:

{
    "mcpServers": {
        "remote-mcp-server": {
            "type": "streamable-http",
            "url": "http://localhost:8005/mcp",
            "disabled": false,
            "alwaysAllow": []
        }
    }
}

Error message:

Currently, we need to rely on the mcp-remote package to complete the OAuth flow. We would like roo to support this functionality natively in the future.

{
    "mcpServers": {
        "remote-mcp-server": {
            "command": "npx",
            "args": [
                "-y",
                "mcp-remote",
                "http://localhost:8005/mcp"
            ],
            "disabled": false,
            "alwaysAllow": []
        }
    }
}

💥 Outcome Summary

The native streamable-http method provided by Roo isn't working with the remote MCP server, which requires Authorization.

📄 Relevant Logs or Errors (Optional)

[roomote]

I'm exploring a potential fix for adding OAuth flow support to streamable-http MCP servers. I'll investigate the current implementation and work on enabling native OAuth authentication without requiring the mcp-remote workaround.

[hsuyuming]

Could you follow the MCP specification (https://modelcontextprotocol.io/specification/draft/basic/authorization)), which involves sending a request to /.well-known/oauth-protected-resource to obtain the resource metadata and authorization server URL, and then accessing the authorization server's .well-known/oauth-authorization-server to start the OAuth process?

[daniel-lxs]

Hey @hsuyuming This is an automated agent, if you don't explicitly tell it what to do it will hallucinate and do something else.