From 69bf81af486713df52eaa44da2b97640a5d48cd8 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 20 Apr 2026 13:57:10 -0300 Subject: [PATCH] Document MCP re-authentication commands MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Codex does not auto-refresh expired OAuth access tokens for MCP servers. When a tool call fails with `Auth required`, users need to manually re-authenticate. Codex itself surfaces the suggestion at startup (`codex mcp login ` tip) — mirror that guidance in the README so users hit it before opening a support ticket. Also documents `codex mcp logout` as the nuclear option and plugin uninstall/reinstall as the last-resort fallback (trigger ON_INSTALL auth policy). Co-Authored-By: Claude Opus 4.7 (1M context) --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index bd1e9db..12c3af1 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,23 @@ On first install Codex kicks off the OAuth 2.1 + PKCE flow against the MCP serve The MCP server implements **Dynamic Client Registration (RFC 7591)**, so Codex's ephemeral `http://localhost:` callback registers itself on the fly — no manual whitelisting in the AS required. Restricted to `@oracle.com` identities. +## Re-authentication + +If a tool call fails with `Auth required`, the OAuth access token has expired and Codex did not refresh it automatically. Re-authenticate without uninstalling: + +```bash +codex mcp login oci-deal-accelerator +``` + +Opens the browser, re-authenticates with Oracle SSO, tools are available again. If that fails, force a clean slate first: + +```bash +codex mcp logout oci-deal-accelerator +codex mcp login oci-deal-accelerator +``` + +As a last resort, uninstall the plugin from `/plugins` and reinstall — the `authentication: "ON_INSTALL"` policy triggers a fresh OAuth flow on install. + ## Repo layout ```