Thanks to visit codestin.com
Credit goes to github.com

Skip to content

OAuth DCR with Docker CE #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

OAuth DCR with Docker CE #208

wants to merge 16 commits into from
+5,566 −78

Conversation

@saucow
Copy link
Contributor

@saucow saucow commented Oct 29, 2025
edited
Loading

What I did

Dual-Mode Operation:

  • Desktop Mode (default): Uses Docker Desktop APIs (existing behavior)
  • CE Mode (DOCKER_MCP_USE_CE=true): Standalone OAuth with credential helpers

docker mcp oauth authorize

sequenceDiagram
    participant User
    participant Gateway
    participant Browser
    participant AuthSrv as Auth Server
    participant Proxy as mcp-oauth
    participant Callback as localhost:PORT
    participant CredHelper as Credential Helper

    User->>Gateway: docker mcp oauth authorize notion-remote

    alt No DCR client
        Gateway->>AuthSrv: OAuth discovery (RFC 9728, RFC 8414)
        Gateway->>AuthSrv: Register client (RFC 7591)<br/>redirect_uri=https://mcp.docker.com/oauth/callback
        Gateway->>CredHelper: Store DCR client
    end

    Gateway->>Callback: Start HTTP server on port
    Gateway->>Gateway: Generate PKCE verifier + state UUID
    Gateway->>Browser: Open auth URL<br/>state=mcp-gateway:PORT:UUID
    Browser->>AuthSrv: User authorizes
    AuthSrv->>Proxy: Redirect with code
    Proxy->>Proxy: Parse state → extract PORT, UUID
    Proxy->>Callback: http://localhost:PORT/callback?code=X&state=UUID
    Callback->>Gateway: Return code + UUID
    Gateway->>Gateway: Validate UUID, get PKCE verifier
    Gateway->>AuthSrv: Exchange code + verifier → token
    Gateway->>CredHelper: Store token
    Gateway-->>User: Authorization successful
Loading

Components:

pkg/oauth/ (OAuth Package)

Added:

  • mode.go - Detect CE vs Desktop mode via env var
  • manager.go - OAuth flow orchestration (authorize, exchange, revoke)
  • callback_server.go - Localhost HTTP server for OAuth callbacks
  • state.go - PKCE verifier and state UUID tracking
  • token_store.go - Store/retrieve OAuth tokens via credential helper
  • browser.go - Open browser for authorization

Modified:

  • credhelper.go - Read credential helper from Docker config, add read-write helper
  • provider.go - Add DCRProvider (public client + PKCE + resource URL)

pkg/oauth/dcr/ (DCR Subpackage)
Added:

  • manager.go - DCR discovery and registration (calls oauth-helpers library)
  • credentials.go - Store/retrieve DCR clients via credential helper

cmd/docker-mcp/ (Commands)

Modified:

  • oauth/auth.go - Add CE mode OAuth flow (authorizeCEMode function)
  • oauth/revoke.go - Add CE mode revoke (deletes token + DCR client)
  • server/enable.go - Skip DCR pre-registration in CE mode

Related issue
N/A

(not mandatory) A picture of a cute animal, if possible in relation to what you did
N/A

@saucow saucow marked this pull request as ready for review October 31, 2025 22:49
@saucow saucow requested a review from a team as a code owner October 31, 2025 22:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kgprs kgprs Awaiting requested review from kgprs

@slimslenderslacks slimslenderslacks Awaiting requested review from slimslenderslacks

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saucow