fix(mcp): route OAuth callback to web server instead of MCP server (onyx-dot-app#10071)

Author: jmelahman

deployment/data/nginx/mcp.conf.inc.template

@@ -1,3 +1,17 @@
+# OAuth callback page must be served by the web server (Next.js),
+# not the MCP server. Exact match takes priority over the regex below.
+location = /mcp/oauth/callback {
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port $server_port;
+    proxy_set_header Host $host;
+    proxy_http_version 1.1;
+    proxy_redirect off;
+    proxy_pass http://web_server;
+}
+
 # MCP Server - Model Context Protocol for LLM integrations
 # Match /mcp, /mcp/, or /mcp/* but NOT /mcpserver, /mcpapi, etc.
 location ~ ^/mcp(/.*)?$ {

deployment/helm/charts/onyx/Chart.yaml

@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
   - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.42
+version: 0.4.43
 appVersion: latest
 annotations:
   category: Productivity

deployment/helm/charts/onyx/templates/nginx-conf.yaml

@@ -42,6 +42,22 @@ data:
         client_max_body_size 5G;
         {{- if .Values.mcpServer.enabled }}
 
+        # OAuth callback page must be served by the web server (Next.js),
+        # not the MCP server. Exact match takes priority over the regex below.
+        location = /mcp/oauth/callback {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header Host $host;
+            proxy_http_version 1.1;
+            proxy_redirect off;
+            proxy_connect_timeout {{ .Values.nginx.timeouts.connect }}s;
+            proxy_send_timeout {{ .Values.nginx.timeouts.send }}s;
+            proxy_read_timeout {{ .Values.nginx.timeouts.read }}s;
+            proxy_pass http://web_server;
+        }
+
         # MCP Server - Model Context Protocol for LLM integrations
         # Match /mcp, /mcp/, or /mcp/* but NOT /mcpserver, /mcpapi, etc.
         location ~ ^/mcp(/.*)?$ {

deployment/helm/charts/onyx/values.yaml

@@ -296,7 +296,7 @@ nginx:
     # The ingress-nginx subchart doesn't auto-detect our custom ConfigMap changes.
     # Workaround: Helm upgrade will restart if the following annotation value changes.
     podAnnotations:
-      onyx.app/nginx-config-version: "3"
+      onyx.app/nginx-config-version: "4"
 
     # Propagate DOMAIN into nginx so server_name continues to use the same env var
     extraEnvs: