Feature request: Support custom OAuth2 providers in local catalog servers #449
Description
Problem
The Docker MCP toolkit currently supports OAuth authentication only for a fixed set of pre-registered providers (GitHub, Asana, Atlassian, etc.). There is no way to define a custom OAuth2 provider in a local catalog server entry.
This creates a problem for APIs that use rotating OAuth2 tokens (i.e., both the access token and refresh token are replaced on each refresh). With rotating tokens:
Secrets don't work — secrets are static; once the access token expires and the server gets a new access + refresh token pair, the old refresh token is invalidated. On the next container restart, the stale refresh token is loaded and authentication fails permanently.
The only workaround is to volume-mount a credentials file into the container so the server can write refreshed tokens back to the host filesystem.
Proposed Solution
Allow custom OAuth2 provider definitions in the local catalog server schema, e.g.:
registry:
my-server:
image: my-server:latest
oauth:
providers:
- provider: custom
tokenUrl: https://api.example.com/oauth/token
clientId: example_public
clientSecret: example_public
grantType: refresh_token
secretMapping:
accessToken:
secret: my-server.access_token
env: ACCESS_TOKEN
refreshToken:
secret: my-server.refresh_token
env: REFRESH_TOKEN
The toolkit would handle the token refresh cycle and update its secret store with the new token pair, eliminating the need for volume-mounted credential files.
Current Workaround
volumes:
- /host/path/credentials.env:/app/.env
The container reads and writes credentials from the mounted file. This works but ties the server to a specific host path and exposes credentials as a plain file.
Related Issues
#172 — OAuth 2.1 for remote servers