Codex does not auto-refresh expired OAuth access tokens for MCP servers. When a tool call fails with `Auth required`, users need to manually re-authenticate. Codex itself surfaces the suggestion at startup (`codex mcp login <name>` tip) — mirror that guidance in the README so users hit it before opening a support ticket. Also documents `codex mcp logout` as the nuclear option and plugin uninstall/reinstall as the last-resort fallback (trigger ON_INSTALL auth policy). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
OCI Deal Accelerator — Codex Plugin
Codex plugin that connects to the OCI Deal Accelerator MCP server and bundles a companion skill. Distributed internally via ai-lad.com.
What you get
14 tools surfaced through a remote MCP server (streamable HTTP, OAuth 2.1):
generate_full_proposal,generate_bom,generate_bom_appca,generate_cost_estimategenerate_deck,generate_diagram,generate_business_caserun_wa_review,check_feature_compatibility,compare_competitivesearch_reference_architectures,search_field_findings,report_field_findingscore_ecal_readiness
Plus a skill (skills/oci-deal-accelerator/SKILL.md) that guides Codex on when and how to invoke each tool.
Install
Once the plugin is registered in ai-lad.com you will get an <ID>. Replace it below.
Windows (PowerShell)
iwr -UseBasicParsing 'https://ai-lad.com/api/skills/<ID>/install-script?os=windows' | iex
macOS / Linux
curl -fsSL 'https://ai-lad.com/api/skills/<ID>/install-script?os=unix' | bash
The installer downloads the plugin ZIP, extracts it to ~/plugins/oci-deal-accelerator/, merges the ai-factory marketplace entry in ~/.agents/plugins/marketplace.json, and restarts Codex. Policy: installation: "AVAILABLE", authentication: "ON_INSTALL".
First-run authentication
On first install Codex kicks off the OAuth 2.1 + PKCE flow against the MCP server (AS proxy → OCI Identity Domain). A browser window opens; sign in with your Oracle SSO.
The MCP server implements Dynamic Client Registration (RFC 7591), so Codex's ephemeral http://localhost:<port> callback registers itself on the fly — no manual whitelisting in the AS required. Restricted to @oracle.com identities.
Re-authentication
If a tool call fails with Auth required, the OAuth access token has expired and Codex did not refresh it automatically. Re-authenticate without uninstalling:
codex mcp login oci-deal-accelerator
Opens the browser, re-authenticates with Oracle SSO, tools are available again. If that fails, force a clean slate first:
codex mcp logout oci-deal-accelerator
codex mcp login oci-deal-accelerator
As a last resort, uninstall the plugin from /plugins and reinstall — the authentication: "ON_INSTALL" policy triggers a fresh OAuth flow on install.
Repo layout
oci-deal-accelerator-codex/
├── .codex-plugin/
│ └── plugin.json # Codex plugin manifest
├── .mcp.json # Remote MCP server config
├── skills/
│ └── oci-deal-accelerator/
│ └── SKILL.md # Tool-usage guidance
├── assets/ # logo.png, icon.png, screenshot-1.png
├── README.md
└── .gitignore