Support OAuth client metadata URLs for MCP login

[stevenlee-oai]

Codex Thread 019e2258-dbd7-7270-9ed6-9492d07a01b1

Summary

• add optional clientMetadataUrlBase to app-server MCP OAuth login params and regenerate schema/TypeScript fixtures
• thread the base URL through app-server MCP login into rmcp-client
• keep existing callers on None, preserving dynamic registration unless a client explicitly supplies a CIMD metadata URL base
• reuse the callback-id logic from Add callback ids to local MCP OAuth redirects #20237: Rust derives the callback id from the MCP server URL and appends it to the local loopback redirect path
• when CIMD is enabled, build {base}/{callback_id}/client.json?redirect_uri=...&token_endpoint_auth_method=none so web serves the public-client CIMD document for local Codex token exchange
• discover OAuth server metadata before authorization and reject explicit non-none token endpoint auth methods, since local Codex cannot complete a private_key_jwt token exchange

Rollout / compatibility

This is stacked on #20237 so the DCR path already uses callback-scoped loopback redirects. clientMetadataUrlBase is optional/nullable and omitted by existing callers, so this can land before any desktop/app caller sends it. Older app-server builds ignore unknown client fields and continue using DCR. Servers that omit or malform token_endpoint_auth_methods_supported remain compatible for now; servers that explicitly exclude none fail before Codex sends the CIMD authorization request.

Test plan

• cargo run --manifest-path codex-rs/Cargo.toml -p codex-app-server-protocol --bin write_schema_fixtures
• cargo fmt --all --manifest-path codex-rs/Cargo.toml
• cargo test --manifest-path codex-rs/Cargo.toml -p codex-rmcp-client perform_oauth_login
• cargo test --manifest-path codex-rs/Cargo.toml -p codex-app-server-protocol
• cargo check --manifest-path codex-rs/Cargo.toml -p codex-app-server -p codex-cli -p codex-core
• ./tools/argument-comment-lint/run-prebuilt-linter.py -p codex-rmcp-client
• git diff --check

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 687878e622

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fix the OAuth mock so the new tests pass

With this discovery mock in place, the two new OAuth tests fail before reaching their assertions: cargo test --manifest-path codex-rs/Cargo.toml -p codex-rmcp-client perform_oauth_login --no-fail-fast reports both authorization_uses_client_metadata_url_as_client_id_when_supplied and authorization_omits_client_metadata_url_by_default panicking at start_test_oauth_flow with No authorization support detected. Please adjust the mock discovery setup so OAuthState::start_authorization_with_metadata_url can discover valid authorization support; otherwise the targeted rmcp-client test suite is red.

Useful? React with 👍 / 👎.

[github-actions]

Closing this pull request because it has had no updates for more than 14 days. If you plan to continue working on it, feel free to reopen or open a new PR.

[jsphbtst]

Thanks for working on this, @stevenlee-oai! Excited to see CIMD support moving forward here. Do you have a rough sense of whether this is expected to land in an upcoming Codex release? It would help me plan around it for the MCP servers I’m building. No worries if there isn’t an ETA yet.