Summary
When an HTTP MCP server uses auth.type: "github-oidc", the gateway currently validates the config structure during validateAuthConfig() (type is non-empty, type is "github-oidc"), but defers checking whether the required environment variables (ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN) are actually present until launcher.New() startup time — or worse, until the first GetOrLaunch() call for that server.
This leads to a confusing failure mode: the gateway starts successfully, reports healthy, but then returns an error when the first request hits the OIDC server.
Related: github/gh-aw#25224 — the compiler does not forward these env vars into the gateway Docker container. Even after that compiler fix lands, the gateway should still validate early to catch misconfigurations.
Current Behavior
- Config validation (
validateAuthConfig): Checks auth.type is "github-oidc" ✅, but does NOT check env vars
launcher.New(): Logs an error if env vars missing, but does NOT fail startup — the server just won't work
GetOrLaunch(): Returns fmt.Errorf("server %q requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set") on first request
The error only surfaces when a client tries to use the server, not at startup.
Proposed Improvement
1. Add env var check in validateAuthConfig
After validating auth.type == "github-oidc", check that the required env vars exist:
func validateAuthConfig(auth *AuthConfig, serverName, jsonPath string) error {
// ... existing type validation ...
if auth.Type == "github-oidc" {
if os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") == "" {
return rules.MissingRequired(
"ACTIONS_ID_TOKEN_REQUEST_URL", "environment", authPath,
"Server requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set. "+
"OIDC auth requires running in GitHub Actions with `permissions: { id-token: write }`")
}
}
return nil
}
This gives a fail-fast validation error at config load time, consistent with how the gateway validates other environment dependencies (e.g., ${VAR} expansion).
2. Improve the launcher.New() startup error
The current code logs an error but continues:
// Current: logs error but does NOT fail
logger.LogError("startup", "Server %q requires OIDC authentication but ...")
Consider making this a startup failure (return error from New()) so the gateway does not start in a partially-broken state. At minimum, record the error in serverErrors so the /health endpoint reflects it immediately.
3. Update health endpoint
Ensure /health reports servers with missing OIDC as "status": "error" at startup, not only after the first failed request. The serverErrors map in the launcher should be populated during New() for OIDC-misconfigured servers.
Files to Change
internal/config/validation.go — Add OIDC env var check in validateAuthConfig()
internal/launcher/launcher.go — Record server error during New() for health reporting
internal/config/validation_test.go — Add test cases for missing OIDC env vars
internal/launcher/launcher_test.go — Update tests for early error recording
References
Summary
When an HTTP MCP server uses
auth.type: "github-oidc", the gateway currently validates the config structure duringvalidateAuthConfig()(type is non-empty, type is"github-oidc"), but defers checking whether the required environment variables (ACTIONS_ID_TOKEN_REQUEST_URL,ACTIONS_ID_TOKEN_REQUEST_TOKEN) are actually present untillauncher.New()startup time — or worse, until the firstGetOrLaunch()call for that server.This leads to a confusing failure mode: the gateway starts successfully, reports healthy, but then returns an error when the first request hits the OIDC server.
Related: github/gh-aw#25224 — the compiler does not forward these env vars into the gateway Docker container. Even after that compiler fix lands, the gateway should still validate early to catch misconfigurations.
Current Behavior
validateAuthConfig): Checksauth.typeis"github-oidc"✅, but does NOT check env varslauncher.New(): Logs an error if env vars missing, but does NOT fail startup — the server just won't workGetOrLaunch(): Returnsfmt.Errorf("server %q requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set")on first requestThe error only surfaces when a client tries to use the server, not at startup.
Proposed Improvement
1. Add env var check in
validateAuthConfigAfter validating
auth.type == "github-oidc", check that the required env vars exist:This gives a fail-fast validation error at config load time, consistent with how the gateway validates other environment dependencies (e.g.,
${VAR}expansion).2. Improve the
launcher.New()startup errorThe current code logs an error but continues:
Consider making this a startup failure (return error from
New()) so the gateway does not start in a partially-broken state. At minimum, record the error inserverErrorsso the/healthendpoint reflects it immediately.3. Update health endpoint
Ensure
/healthreports servers with missing OIDC as"status": "error"at startup, not only after the first failed request. TheserverErrorsmap in the launcher should be populated duringNew()for OIDC-misconfigured servers.Files to Change
internal/config/validation.go— Add OIDC env var check invalidateAuthConfig()internal/launcher/launcher.go— Record server error duringNew()for health reportinginternal/config/validation_test.go— Add test cases for missing OIDC env varsinternal/launcher/launcher_test.go— Update tests for early error recordingReferences
ACTIONS_ID_TOKEN_REQUEST_URL/ACTIONS_ID_TOKEN_REQUEST_TOKENenv vars gh-aw#25224 — Compiler missing OIDC env var forwarding (root cause)internal/oidc/provider.go— OIDC token minting implementationinternal/config/validation.go:246-263— Current auth validation