Document MCP re-authentication commands

Codex does not auto-refresh expired OAuth access tokens for MCP servers.
When a tool call fails with `Auth required`, users need to manually
re-authenticate. Codex itself surfaces the suggestion at startup
(`codex mcp login <name>` tip) — mirror that guidance in the README so
users hit it before opening a support ticket.

Also documents `codex mcp logout` as the nuclear option and plugin
uninstall/reinstall as the last-resort fallback (trigger ON_INSTALL
auth policy).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
root
2026-04-20 13:57:10 -03:00
parent e0fd1cbf6a
commit 69bf81af48

View File

@@ -36,6 +36,23 @@ On first install Codex kicks off the OAuth 2.1 + PKCE flow against the MCP serve
The MCP server implements **Dynamic Client Registration (RFC 7591)**, so Codex's ephemeral `http://localhost:<port>` callback registers itself on the fly — no manual whitelisting in the AS required. Restricted to `@oracle.com` identities.
## Re-authentication
If a tool call fails with `Auth required`, the OAuth access token has expired and Codex did not refresh it automatically. Re-authenticate without uninstalling:
```bash
codex mcp login oci-deal-accelerator
```
Opens the browser, re-authenticates with Oracle SSO, tools are available again. If that fails, force a clean slate first:
```bash
codex mcp logout oci-deal-accelerator
codex mcp login oci-deal-accelerator
```
As a last resort, uninstall the plugin from `/plugins` and reinstall — the `authentication: "ON_INSTALL"` policy triggers a fresh OAuth flow on install.
## Repo layout
```