Skip to content

[REMOTE] OAuth browser window never opens in GitHub Copilot CLI - silently fails with no cached tokens #1399

Description

@pvanukoff-centuri

This template is for Azure DevOps Remote MCP Server feedback only.

Issue Type

  • Feedback on Remote MCP Server
  • Bug in Remote MCP Server
  • Tool or feature request for Remote MCP Server

Tool(s)

Remote MCP Server - OAuth Authentication

Description

When adding the Azure DevOps remote MCP server (https://mcp.dev.azure.com/<ORG>) in GitHub Copilot CLI on Windows, the OAuth browser window never opens. The app silently fails without prompting the user to sign in, and there is no "Sign in" button or prompt visible in the UI.

Steps to Reproduce

  1. Add the Azure DevOps remote MCP server in GitHub Copilot CLI settings with URL https://mcp.dev.azure.com/<ORG>
  2. Restart the app
  3. Observe: no browser window opens, no sign-in prompt appears in UI
  4. MCP server remains unauthenticated

Expected Behavior

A browser window (or in-app prompt) should open to complete the OAuth flow against https://login.microsoftonline.com/<TENANT_ID>/v2.0, allowing the user to authenticate and cache a token for https://mcp.dev.azure.com/.default.

Actual Behavior

No browser window appears. The app logs show the OAuth flow is triggered but immediately fails:

[ERROR] Server azure-devops requires authentication, initiating OAuth flow
[ERROR] OAuth authentication required for azure-devops
[ERROR] OAuth required for azure-devops with no cached tokens; marking as needs-auth
[ERROR] OAuth authentication was required but not provided for azure-devops
[ERROR] Failed to start MCP client for remote server azure-devops with OAuth: Error: OAuth authentication failed for azure-devops
[ERROR] Recorded failure for server azure-devops: OAuth authentication failed for azure-devops
[ERROR] MCP server azure-devops still needs interactive re-auth: MCPOAuthBrowserRequiredError: Browser-based OAuth required for https://mcp.dev.azure.com/<ORG>

The OAuth discovery endpoint returns correctly:

{
  "resource": "https://mcp.dev.azure.com/<ORG>",
  "authorization_servers": ["https://login.microsoftonline.com/<TENANT_ID>/v2.0"],
  "bearer_methods_supported": ["header"],
  "scopes_supported": ["https://mcp.dev.azure.com/.default"]
}

No token files are created in ~/.copilot/mcp-oauth-config/.

Environment

  • OS: Windows 11
  • Client: GitHub Copilot CLI (desktop app)
  • MCP Server URL: https://mcp.dev.azure.com/<ORG>
  • ADO Org: Private org (AAD-backed tenant)

Workaround

Using az devops CLI with az account get-access-token --resource https://mcp.dev.azure.com succeeds and returns a valid token, confirming the user is authenticated and the org/tenant are valid. The issue is isolated to the Copilot app's OAuth browser launch step.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions