Add OAuth support (#156)

* Add OAuth config entries (#142)

* Add OAuth config variables

* Update ProcessEnv

* Add test for clientIdSecretPairs

* Clean up

* Fix bad merge, address copilot suggestion

* A few housekeeping things (#143)

* Update lint rules

* Use 127.0.0.1 for local http

* Fix lint errors

* Upload docs artifacts

* Add API definitions (#144)

* Add Tableau OAuth Zodios definitions

* Add Get Current Server Session REST API

* Update import

* Add OAuth 2.1 implementation (#145)

* Add OAuth 2.1 implementation

* Remove scope from access token

* Apply suggestion from @Copilot

Co-authored-by: Copilot <[email protected]>

* Fix expiration of access token generated from client creds

* Add clientId to token

* Treat Tableau access token expiry in seconds

* Treat all timestamps in seconds

* Rotate the refresh token

* Generate new code verifier for Tableau

* Add auth middleware (#147)

* Add auth middleware

* Add clientId in access token

* Remove extraneous variable

* Treat Tableau access token expiration in seconds

* Treat all timestamps in seconds

* Add getTableauAuthInfo

* Update tools to use OAuth info (#148)

* Log username

* Update tools

* Add prompt when disabling OAuth

* Rename to DANGEROUSLY_DISABLE_OAUTH

* Add OAuth tests (#149)

* Add supertest and OAuth tests

* Run OAuth tests during CI

* Remove OAUTH_JWE_PRIVATE_KEY_PASSPHRASE

* Remove more unneeded env vars

* Remove unneeded TRANSPORT

* Address Copilot suggestions

* s/return/await

* Add additional refresh_token coverage

* Update should redirect to Tableau OAuth

* Improve afterEach

* Add invalid token request test

* Add OAuth docs (#150)

* Add mermaid theme

* Fix mermaid theme version

* Add OAuth docs

* Rename optional.md to env-vars.md

* Merge env var files

* Update warnings

* Add warning to http-server

* Update docs

---------

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

* Bump version

---------

Co-authored-by: Copilot <[email protected]>

Author: anyoung-tableau

.github/workflows/ci.yml

@@ -56,6 +56,15 @@ jobs:
           CONNECTED_APP_SECRET_ID: ${{ secrets.E2E_TEST_CONNECTED_APP_SECRET_ID }}
           CONNECTED_APP_SECRET_VALUE: ${{ secrets.E2E_TEST_CONNECTED_APP_SECRET_VALUE }}
 
+      - name: OAuth Tests
+        run: npm run test:oauth
+        env:
+          SERVER: ${{ secrets.E2E_TEST_SERVER }}
+          SITE_NAME: ${{ secrets.E2E_TEST_SITE_NAME }}
+          OAUTH_ISSUER: http://127.0.0.1:3927
+          OAUTH_JWE_PRIVATE_KEY: ${{ secrets.OAUTH_TEST_OAUTH_JWE_PRIVATE_KEY }}
+          OAUTH_JWE_PRIVATE_KEY_PASSPHRASE: ${{ secrets.OAUTH_TEST_OAUTH_JWE_PRIVATE_KEY_PASSPHRASE }}
+
       - name: Build Claude MCP Bundle
         run: |
           npm run build:manifest:script

.github/workflows/test-deploy.yml

@@ -29,3 +29,10 @@ jobs:
         run: npm ci
       - name: Test build website
         run: npm run build
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts
+          if-no-files-found: error
+          path: |
+            docs/build/

config.http.json

@@ -2,7 +2,7 @@
   "mcpServers": {
     "tableau": {
       "type": "streamable-http",
-      "url": "http://localhost:3927/tableau-mcp"
+      "url": "http://127.0.0.1:3927/tableau-mcp"
     }
   }
 }

docs/docs/configuration/mcp-config/authentication/README.md

@@ -9,3 +9,4 @@ There are a couple different ways to authenticate to Tableau.
 
 1. Provide your Tableau [Personal Access Token](pat.md) (PAT).
 2. Use Tableau [Connected Apps](direct-trust.md).
+3. Use Tableau [OAuth](oauth.md).

docs/docs/configuration/mcp-config/authentication/_category_.json

@@ -1,4 +1,4 @@
 {
   "label": "Authentication",
-  "position": 4
+  "position": 2
 }

docs/docs/configuration/mcp-config/authentication/direct-trust.md

@@ -1,6 +1,5 @@
 ---
-sidebar_position: 3
-title: Direct Trust
+sidebar_position: 2
 ---
 
 # Direct Trust
@@ -22,6 +21,8 @@ it internally calls into VizQL Data Service, the JWT will only have the
 
 The username for the `sub` claim of the JWT.
 
+- Can either be a hard-coded username, or the OAuth username by setting it to `{OAUTH_USERNAME}`.
+
 <hr />
 
 ### `CONNECTED_APP_CLIENT_ID`
@@ -53,12 +54,13 @@ code where it could accidentally be revealed.
 
 ### `JWT_ADDITIONAL_PAYLOAD`
 
-A JSON string that includes any additional user attributes to include on the JWT.
+A JSON string that includes any additional user attributes to include on the JWT. It also supports
+dynamically including the OAuth username.
 
 Example:
 
 ```json
-{ "region": "West" }
+{ "username": "{OAUTH_USERNAME}", "region": "West" }
 ```
 
 [direct-trust]: https://help.tableau.com/current/online/en-us/connected_apps.htm#direct-trust

docs/docs/configuration/mcp-config/authentication/oauth.md

@@ -0,0 +1,22 @@
+---
+sidebar_position: 3
+---
+
+# OAuth
+
+:::warning
+
+Tableau Server 2025.3+ only. Full Tableau Cloud is not supported yet but is coming soon ETA Q2 2026.
+Until then, enabling OAuth support against a Tableau Cloud site will only work when the MCP server
+is accessed using a local development URL e.g. `http://127.0.0.1:3927/tableau-mcp`.
+
+:::
+
+When `AUTH` is `oauth`, the MCP server will use a Tableau session initiated by the Tableau OAuth
+flow to authenticate to the Tableau REST APIs.
+
+:::info
+
+See [Enabling OAuth](../oauth.md) for details on how to configure the MCP server to use OAuth.
+
+:::

docs/docs/configuration/mcp-config/authentication/pat.md

@@ -1,5 +1,5 @@
 ---
-sidebar_position: 2
+sidebar_position: 1
 title: PAT
 ---
 

docs/docs/configuration/mcp-config/optional.md renamed to docs/docs/configuration/mcp-config/env-vars.md

@@ -1,10 +1,30 @@
 ---
-sidebar_position: 2
+sidebar_position: 1
 ---
 
-# Optional Environment Variables
+# Environment Variables
 
-Values for the following environment variables are optional.
+Values for the following environment variables can be provided to configure the Tableau MCP server.
+
+## `SERVER`
+
+The URL of the Tableau server.
+
+- For Tableau Cloud, specify your site's specific pod e.g.
+  `https://prod-useast-c.online.tableau.com`
+- Required unless [`AUTH`](#auth) is `oauth`.
+
+<hr />
+
+## `SITE_NAME`
+
+The name of the Tableau site to use.
+
+- For Tableau Cloud, specify your site name.
+- For Tableau Server, you may leave this value blank to use the default site.
+- Required unless [`AUTH`](#auth) is `oauth`.
+
+<hr />
 
 ## `TRANSPORT`
 
@@ -19,10 +39,10 @@ The MCP transport type to use for the server.
 
 ## `AUTH`
 
-The Tableau authentication method to use by the server.
+The method the MCP server uses to authenticate to the Tableau REST APIs.
 
 - Default: `pat`
-- Possible values: `pat` or `direct-trust`
+- Possible values: `pat`, `direct-trust`, or `oauth`
 - See [Authentication](authentication) for additional required variables depending on the desired
   method.
 
@@ -43,6 +63,8 @@ APIs.
 - Each line in the log file is a JSON object with the following properties:
 
   - `timestamp`: The timestamp of the log message in UTC time.
+  - `username`: For tool calls, the username of the user who made the call. This is only present
+    when OAuth is enabled and has the user context.
   - `level`: The logging level of the log message.
   - `logger`: The logger of the log message. This is typically `rest-api` for HTTP traces or
     `tableau-mcp` for tool calls.

docs/docs/configuration/mcp-config/http-server.md

@@ -7,6 +7,16 @@ sidebar_position: 5
 The Tableau MCP server can be configured to run as an HTTP server, leveraging the Streaming HTTP MCP
 transport. This is useful for deploying the server remotely and exposing it to multiple clients.
 
+:::warning
+
+When `TRANSPORT` is `http`, the default behavior changes to require protecting your MCP server with
+OAuth as a security best practice.
+
+To opt out of this behavior at your own risk, please see the entry on
+[`DANGEROUSLY_DISABLE_OAUTH`](oauth.md#dangerously_disable_oauth).
+
+:::
+
 When `TRANSPORT` is `http`, the following environment variables can be used to configure the HTTP
 server. They are all optional.