OAuth discovery requests hang instead of returning 404

[Mossaka]

Summary

OAuth discovery requests to /.well-known/oauth-authorization-server hang indefinitely instead of returning a quick 404 response. This causes Codex MCP connections to timeout after 15 seconds per server.

Problem

The Codex rmcp client (Rust MCP client) attempts OAuth discovery at the standard path:

GET http://host.docker.internal/.well-known/oauth-authorization-server

But the MCP Gateway registers the OAuth handler at:

/mcp/.well-known/oauth-authorization-server

Since there's no handler at /.well-known/..., the request has no matching route and hangs instead of returning 404.

Evidence

Smoke-codex workflow run: https://github.com/github/gh-aw/actions/runs/21688558782

Error pattern:

DEBUG session_init: codex_rmcp_client::auth_status: OAuth discovery requests failed for 
http://host.docker.internal:80/mcp/playwright: error sending request for url 
(http://host.docker.internal/.well-known/oauth-authorization-server)

Caused by:
    operation timed out

Result:

• OAuth discovery times out (15 seconds per server)
• 4 of 6 MCP servers fail to connect
• Only tavily and safeoutputs succeed (race condition - they complete before timeout exhausts resources)

Firewall logs confirm traffic reaches gateway:

▼ 11 requests | 11 allowed | 0 blocked | 1 unique domain
| Domain              | Allowed | Denied |
|---------------------|---------|--------|
| host.docker.internal | 11      | 0      |

Comparison with working run

In run 21653900083 (before chroot mode), using IP address 172.30.0.1, OAuth discovery was NOT attempted and all 6 MCP servers connected successfully:

ready: ["safeoutputs", "safeinputs", "github", "playwright", "tavily", "serena"]

Current Route Registration

From internal/server/transport.go:

Route	Handler
/mcp/.well-known/oauth-authorization-server	OAuth handler (returns 404)
/mcp/ and /mcp	StreamableHTTPHandler
/health	Health check
/close	Graceful shutdown
/.well-known/*	NO HANDLER ← causes hang

Proposed Fix

Add a handler for OAuth discovery at the standard path (without /mcp/ prefix):

// In internal/server/transport.go, add alongside existing routes:
mux.HandleFunc("/.well-known/oauth-authorization-server", func(w http.ResponseWriter, r *http.Request) {
    http.NotFound(w, r)
})

This ensures OAuth discovery requests get an immediate 404 response instead of hanging.

Impact

This fix would:

1. Make OAuth discovery fail fast (instant 404 instead of 15s timeout)
2. Allow all 6 MCP servers to connect successfully in Codex workflows
3. Fix smoke-codex CI failures

Related

• gh-aw PR #13792: Removed hardcoded IP from Codex config (firewall fix - separate issue)