Document MCP re-authentication commands
Codex does not auto-refresh expired OAuth access tokens for MCP servers. When a tool call fails with `Auth required`, users need to manually re-authenticate. Codex itself surfaces the suggestion at startup (`codex mcp login <name>` tip) — mirror that guidance in the README so users hit it before opening a support ticket. Also documents `codex mcp logout` as the nuclear option and plugin uninstall/reinstall as the last-resort fallback (trigger ON_INSTALL auth policy). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
17
README.md
17
README.md
@@ -36,6 +36,23 @@ On first install Codex kicks off the OAuth 2.1 + PKCE flow against the MCP serve
|
||||
|
||||
The MCP server implements **Dynamic Client Registration (RFC 7591)**, so Codex's ephemeral `http://localhost:<port>` callback registers itself on the fly — no manual whitelisting in the AS required. Restricted to `@oracle.com` identities.
|
||||
|
||||
## Re-authentication
|
||||
|
||||
If a tool call fails with `Auth required`, the OAuth access token has expired and Codex did not refresh it automatically. Re-authenticate without uninstalling:
|
||||
|
||||
```bash
|
||||
codex mcp login oci-deal-accelerator
|
||||
```
|
||||
|
||||
Opens the browser, re-authenticates with Oracle SSO, tools are available again. If that fails, force a clean slate first:
|
||||
|
||||
```bash
|
||||
codex mcp logout oci-deal-accelerator
|
||||
codex mcp login oci-deal-accelerator
|
||||
```
|
||||
|
||||
As a last resort, uninstall the plugin from `/plugins` and reinstall — the `authentication: "ON_INSTALL"` policy triggers a fresh OAuth flow on install.
|
||||
|
||||
## Repo layout
|
||||
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user