Add dynamic OAuth discovery for community MCP servers

Community servers from third-party registries lack oauth.providers metadata,
so the existing IsRemoteOAuthServer() gate prevents DCR entries from being
created. This adds a fallback path that probes remote servers for OAuth
support using DiscoverOAuthRequirements() and creates pending DCR entries.

- Add RegisterProviderForDynamicDiscovery() in pkg/oauth/dcr_registration.go
- Add fallback branch in workingset, server enable, and gateway mcpadd
- Expand gateway OAuth condition to match remote servers without oauth.providers

Author: jchangx

cmd/docker-mcp/oauth/revoke.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/docker/mcp-gateway/pkg/catalog"
 	"github.com/docker/mcp-gateway/pkg/desktop"
 	pkgoauth "github.com/docker/mcp-gateway/pkg/oauth"
 )
@@ -25,27 +24,14 @@ func Revoke(ctx context.Context, app string) error {
 func revokeDesktopMode(ctx context.Context, app string) error {
 	client := desktop.NewAuthClient()
 
-	// Get catalog to check if this is a remote OAuth server
-	catalogData, err := catalog.GetWithOptions(ctx, true, nil)
-	if err != nil {
-		return fmt.Errorf("failed to get catalog: %w", err)
-	}
-
-	server, found := catalogData.Servers[app]
-	isRemoteOAuth := found && server.IsRemoteOAuthServer()
-
-	// Revoke tokens
+	// Revoke tokens via Docker Desktop.
+	// The DCR client entry is intentionally kept so the server remains
+	// visible in the OAuth UI for re-authorization. DCR cleanup happens
+	// when the server is removed from all profiles (doCleanupOrphanedDCREntries).
 	if err := client.DeleteOAuthApp(ctx, app); err != nil {
 		return fmt.Errorf("failed to revoke OAuth access: %w", err)
 	}
 
-	// For remote OAuth servers, also delete DCR client
-	if isRemoteOAuth {
-		if err := client.DeleteDCRClient(ctx, app); err != nil {
-			return fmt.Errorf("failed to remove DCR client: %w", err)
-		}
-	}
-
 	fmt.Printf("OAuth access revoked for %s\n", app)
 	return nil
 }

cmd/docker-mcp/server/enable.go

@@ -79,6 +79,15 @@ func update(ctx context.Context, docker docker.Client, dockerCli command.Cli, ad
 				fmt.Printf("Server %s requires OAuth authentication but DCR is disabled.\n", serverName)
 				fmt.Printf("   To enable automatic OAuth setup, run: docker mcp feature enable mcp-oauth-dcr\n")
 				fmt.Printf("   Or set up OAuth manually using: docker mcp oauth authorize %s\n", serverName)
+			} else if mcpOAuthDcrEnabled && server.Type == "remote" && !server.IsOAuthServer() && server.Remote.URL != "" {
+				// Community server without oauth.providers — probe for OAuth
+				if pkgoauth.IsCEMode() {
+					fmt.Printf("Remote server %s enabled. Run 'docker mcp oauth authorize %s' if authentication is required\n", serverName, serverName)
+				} else {
+					if err := pkgoauth.RegisterProviderForDynamicDiscovery(ctx, serverName, server.Remote.URL); err != nil {
+						fmt.Printf("Warning: Dynamic OAuth discovery failed for %s: %v\n", serverName, err)
+					}
+				}
 			}
 		} else {
 			return fmt.Errorf("server %s not found in catalog", serverName)

pkg/gateway/mcpadd.go

@@ -289,7 +289,8 @@ func addServerHandler(g *Gateway, clientConfig *clientConfig) mcp.ToolHandler {
 		// Handle OAuth DCR only when the client supports elicitation (e.g. not stdio-based clients)
 		if g.McpOAuthDcrEnabled &&
 			serverConfig != nil &&
-			serverConfig.Spec.IsRemoteOAuthServer() {
+			(serverConfig.Spec.IsRemoteOAuthServer() ||
+				(serverConfig.Spec.Type == "remote" && !serverConfig.Spec.IsOAuthServer() && serverConfig.Spec.Remote.URL != "")) {
 
 			init := req.Session.InitializeParams()
 			if init != nil &&
@@ -444,7 +445,20 @@ func (g *Gateway) getRemoteOAuthServerStatus(ctx context.Context, serverName str
 	if !providerExists {
 		// Register DCR client with DD so user can authorize
 		if err := oauth.RegisterProviderForLazySetup(ctx, serverName); err != nil {
-			log.Logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+			// Fallback: try dynamic discovery for community servers without oauth.providers
+			if serverConfig, _, found := g.configuration.Find(serverName); found && serverConfig.Spec.Remote.URL != "" {
+				if err := oauth.RegisterProviderForDynamicDiscovery(ctx, serverName, serverConfig.Spec.Remote.URL); err != nil {
+					log.Logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+				}
+			} else {
+				log.Logf("Warning: Failed to register OAuth provider for %s: %v", serverName, err)
+			}
+		}
+
+		// Verify DCR entry was created — dynamic discovery may have found no OAuth requirement
+		authClient := desktop.NewAuthClient()
+		if _, err := authClient.GetDCRClient(ctx, serverName); err != nil {
+			return true, "" // Server doesn't require OAuth
 		}
 
 		// Start provider (CE mode only - Desktop mode doesn't need polling)

pkg/gateway/run.go

@@ -697,7 +697,9 @@ func (g *Gateway) routeEventToProvider(event oauth.Event) {
 		g.clientPool.InvalidateOAuthClients(event.Provider)
 
 	case oauth.EventLogoutSuccess:
-		// User logged out - stop provider if exists
+		// Invalidate cached OAuth client connections (clear stale bearer tokens)
+		g.clientPool.InvalidateOAuthClients(event.Provider)
+		// Stop provider if exists
 		if exists {
 			log.Logf("- Stopping provider for %s after logout", event.Provider)
 			g.stopProvider(event.Provider)

pkg/oauth/dcr_registration.go

@@ -3,11 +3,33 @@ package oauth
 import (
 	"context"
 	"fmt"
+	"time"
+
+	oauthhelpers "github.com/docker/mcp-gateway-oauth-helpers"
 
 	"github.com/docker/mcp-gateway/pkg/catalog"
 	"github.com/docker/mcp-gateway/pkg/desktop"
 )
 
+// dcrRegistrationClient is the subset of desktop.Tools used for DCR registration.
+// Extracted as an interface to enable testing.
+type dcrRegistrationClient interface {
+	GetDCRClient(ctx context.Context, app string) (*desktop.DCRClient, error)
+	RegisterDCRClientPending(ctx context.Context, app string, req desktop.RegisterDCRRequest) error
+}
+
+// oauthProber abstracts OAuth discovery to enable testing.
+type oauthProber interface {
+	DiscoverOAuthRequirements(ctx context.Context, serverURL string) (*oauthhelpers.Discovery, error)
+}
+
+// defaultOAuthProber wraps the package-level function.
+type defaultOAuthProber struct{}
+
+func (defaultOAuthProber) DiscoverOAuthRequirements(ctx context.Context, serverURL string) (*oauthhelpers.Discovery, error) {
+	return oauthhelpers.DiscoverOAuthRequirements(ctx, serverURL)
+}
+
 // RegisterProviderForLazySetup registers a DCR provider with Docker Desktop
 // This allows 'docker mcp oauth authorize' to work before full DCR is complete
 // Idempotent - safe to call multiple times for the same server
@@ -46,6 +68,35 @@ func RegisterProviderForLazySetup(ctx context.Context, serverName string) error
 	return client.RegisterDCRClientPending(ctx, serverName, dcrRequest)
 }
 
+// RegisterProviderForDynamicDiscovery probes a remote server for OAuth support
+// and creates a pending DCR entry if the server requires OAuth.
+// This is used for community servers that lack oauth.providers metadata in the catalog.
+// Idempotent - safe to call multiple times for the same server.
+func RegisterProviderForDynamicDiscovery(ctx context.Context, serverName, serverURL string) error {
+	return registerProviderForDynamicDiscovery(ctx, serverName, serverURL, desktop.NewAuthClient(), defaultOAuthProber{})
+}
+
+func registerProviderForDynamicDiscovery(ctx context.Context, serverName, serverURL string, client dcrRegistrationClient, prober oauthProber) error {
+	// Idempotent check - already registered?
+	_, err := client.GetDCRClient(ctx, serverName)
+	if err == nil {
+		return nil // Already registered
+	}
+
+	// Probe the server with a timeout to discover OAuth requirements
+	probeCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+	discovery, err := prober.DiscoverOAuthRequirements(probeCtx, serverURL)
+	if err != nil || !discovery.RequiresOAuth {
+		return nil // Server doesn't need OAuth, not an error
+	}
+
+	// Register with DD (pending DCR state) using server name as provider name
+	return client.RegisterDCRClientPending(ctx, serverName, desktop.RegisterDCRRequest{
+		ProviderName: serverName,
+	})
+}
+
 // RegisterProviderWithSnapshot registers a DCR provider using OAuth metadata from the server snapshot
 // This avoids querying the catalog since the snapshot already contains all necessary OAuth information
 // Idempotent - safe to call multiple times for the same server

pkg/oauth/dcr_registration_test.go

@@ -0,0 +1,96 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	oauthhelpers "github.com/docker/mcp-gateway-oauth-helpers"
+	"github.com/docker/mcp-gateway/pkg/desktop"
+)
+
+// mockDCRClient implements dcrRegistrationClient for testing.
+type mockDCRClient struct {
+	clients    map[string]*desktop.DCRClient
+	registered map[string]desktop.RegisterDCRRequest
+}
+
+func newMockDCRClient() *mockDCRClient {
+	return &mockDCRClient{
+		clients:    make(map[string]*desktop.DCRClient),
+		registered: make(map[string]desktop.RegisterDCRRequest),
+	}
+}
+
+func (m *mockDCRClient) GetDCRClient(_ context.Context, app string) (*desktop.DCRClient, error) {
+	c, ok := m.clients[app]
+	if !ok {
+		return nil, errors.New("not found")
+	}
+	return c, nil
+}
+
+func (m *mockDCRClient) RegisterDCRClientPending(_ context.Context, app string, req desktop.RegisterDCRRequest) error {
+	m.registered[app] = req
+	return nil
+}
+
+// mockProber implements oauthProber for testing.
+type mockProber struct {
+	discovery *oauthhelpers.Discovery
+	err       error
+}
+
+func (m *mockProber) DiscoverOAuthRequirements(_ context.Context, _ string) (*oauthhelpers.Discovery, error) {
+	return m.discovery, m.err
+}
+
+func TestRegisterProviderForDynamicDiscovery_SkipsAlreadyRegistered(t *testing.T) {
+	client := newMockDCRClient()
+	client.clients["my-server"] = &desktop.DCRClient{State: "unregistered"}
+
+	prober := &mockProber{} // should not be called
+
+	err := registerProviderForDynamicDiscovery(t.Context(), "my-server", "https://example.com/mcp", client, prober)
+	require.NoError(t, err)
+	assert.Empty(t, client.registered, "should not register when already exists")
+}
+
+func TestRegisterProviderForDynamicDiscovery_RegistersWhenOAuthRequired(t *testing.T) {
+	client := newMockDCRClient()
+	prober := &mockProber{
+		discovery: &oauthhelpers.Discovery{RequiresOAuth: true},
+	}
+
+	err := registerProviderForDynamicDiscovery(t.Context(), "ai-kubit-mcp-server", "https://mcp.kubit.ai/mcp", client, prober)
+	require.NoError(t, err)
+
+	req, ok := client.registered["ai-kubit-mcp-server"]
+	require.True(t, ok, "should have registered DCR client")
+	assert.Equal(t, "ai-kubit-mcp-server", req.ProviderName, "provider name should match server name")
+}
+
+func TestRegisterProviderForDynamicDiscovery_SkipsWhenNoOAuthRequired(t *testing.T) {
+	client := newMockDCRClient()
+	prober := &mockProber{
+		discovery: &oauthhelpers.Discovery{RequiresOAuth: false},
+	}
+
+	err := registerProviderForDynamicDiscovery(t.Context(), "my-server", "https://example.com/mcp", client, prober)
+	require.NoError(t, err)
+	assert.Empty(t, client.registered, "should not register when OAuth not required")
+}
+
+func TestRegisterProviderForDynamicDiscovery_SkipsOnProbeError(t *testing.T) {
+	client := newMockDCRClient()
+	prober := &mockProber{
+		err: errors.New("connection refused"),
+	}
+
+	err := registerProviderForDynamicDiscovery(t.Context(), "my-server", "https://unreachable.example.com/mcp", client, prober)
+	require.NoError(t, err)
+	assert.Empty(t, client.registered, "should not register when probe fails")
+}

pkg/oauth/provider.go

@@ -152,10 +152,14 @@ func (p *Provider) Run(ctx context.Context) {
 		// Trigger refresh if needed
 		if shouldTriggerRefresh {
 			if IsCEMode() {
-				// CE mode: Refresh token directly
+				// CE mode: Refresh token directly, then reload server connection
 				go func() {
 					if err := p.refreshTokenCE(); err != nil {
 						log.Logf("! Token refresh failed for %s: %v", p.name, err)
+						return
+					}
+					if err := p.reloadFn(ctx, p.name); err != nil {
+						log.Logf("! Failed to reload %s after token refresh: %v", p.name, err)
 					}
 				}()
 			} else {