docs(oauth): stdio OAuth login guide + OAuth-first install config (4/4)#2717
Draft
SamMorrowDrums wants to merge 1 commit into
Draft
docs(oauth): stdio OAuth login guide + OAuth-first install config (4/4)#2717SamMorrowDrums wants to merge 1 commit into
SamMorrowDrums wants to merge 1 commit into
Conversation
… config Add a dedicated Local Server OAuth Login guide (docs/oauth-login.md) covering the PKCE/device flows, display channels and the URL-elicitation security advisory, scope-based tool filtering, the fixed-port Docker recipe and its loopback/port-safety behavior, bringing your own OAuth or GitHub App, and the GitHub Enterprise Server / ghe.com requirement to register an app on that host (custom --gh-host directs login at that instance's authorization server). Reflect that the local server now logs in with OAuth by default on github.com: - README: make the stdio Docker install badges OAuth-first (fixed callback port 8085 published to loopback), drop the PAT prompt, and reframe the PAT as an optional alternative with a pointer to the new guide. - server.json: make GITHUB_PERSONAL_ACCESS_TOKEN optional and publish the OAuth callback port so the registry default works without a token. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR completes the stdio OAuth rollout by documenting the OAuth login flow and updating default install/config surfaces to be OAuth-first (with PAT optional), including the fixed Docker callback-port setup needed for containerized login.
Changes:
- Adds a dedicated
docs/oauth-login.mdguide covering stdio OAuth (PKCE/device flow), Docker fixed-port requirements, and BYO app guidance for GHES/ghe.com. - Updates
README.mdone-click Docker install badges and prerequisites wording to default to OAuth-first while keeping PAT as an optional precedence override. - Updates
server.jsonsoGITHUB_PERSONAL_ACCESS_TOKENis optional and publishes the fixed OAuth callback port configuration for container installs.
Show a summary per file
| File | Description |
|---|---|
docs/oauth-login.md |
New end-to-end stdio OAuth login documentation (including Docker fixed-port guidance). |
README.md |
Switches local Docker install badges + prerequisites messaging to OAuth-first with a link to the new guide. |
server.json |
Makes PAT optional and adds fixed callback port publish/env defaults for registry-driven Docker installs. |
Copilot's findings
- Files reviewed: 3/3 changed files
- Comments generated: 1
| | Flag | Environment variable | Description | | ||
| |------|----------------------|-------------| | ||
| | `--oauth-client-id` | `GITHUB_OAUTH_CLIENT_ID` | OAuth App or GitHub App client ID. Enables OAuth login when no token is set. Defaults to the baked-in app on github.com for official builds. | | ||
| | `--oauth-client-secret` | `GITHUB_OAUTH_CLIENT_SECRET` | Client secret, **if your app requires one**. For distributed clients this is a public, non-confidential credential. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stack: #2704 (1/4) → #2710 (2/4) → #2711 (3/4) → this (4/4). Review/merge bottom-up. Base is the PR3 branch; diff is the docs layer only.
Closes the OAuth stdio work by documenting it and flipping the local install configs to OAuth-first now that no PAT is required on github.com.
What's here (3 files)
docs/oauth-login.md(new) — dedicated guide:--oauth-client-id/-secret/-scopes/-callback-port+GITHUB_OAUTH_*env vars; PAT still takes precedence.-p 127.0.0.1:8085:8085, registerhttp://localhost:8085/callback; documents the two fixed-port safety properties — loopback-only publish + a busy port is fatal (no silent device fallback).--gh-hostdirects login at that instance's authorization server.README.md— stdio Docker install badges are now OAuth-first (fixed callback port 8085, no PAT prompt); Prerequisites reframed (OAuth default, PAT optional) with a pointer to the guide; one-line OAuth pointer by the manual examples. No README pollution beyond that.server.json—GITHUB_PERSONAL_ACCESS_TOKENis now optional; the package publishes the OAuth callback port so the registry default works with zero token.Validation
server.jsonvalidated against the 2025-12-11 registry schema (valid) andpython -m json.tool(the registry-releaser check).docs/feature-flags.md,docs/insiders-features.md) so this PR is docs-for-OAuth only; that drift is already correct onmainand resolves on rebase.No
workflowscope needed (no workflow files touched).