Skip to content

auth field on HTTP MCP servers rejected by frontmatter schema validation #24323

Closed
#24369
Closed
auth field on HTTP MCP servers rejected by frontmatter schema validation#24323
#24369
Assignees
pelikhancopilot-swe-agent
Labels
community
@bbonafed

Description

@bbonafed
bbonafed
opened on Apr 3, 2026

Problem

The auth field for GitHub Actions OIDC authentication on HTTP MCP servers is documented, implemented in the Go compiler (mcp_config_custom.go), and supported by the MCP Gateway schema — but it is rejected at compile time because main_workflow_schema.json does not include auth in the http_mcp_tool definition.

The http_mcp_tool schema at pkg/parser/schemas/main_workflow_schema.json line ~9617 has additionalProperties: false and only allows: type, registry, url, headers, allowed.

Reproduction

mcp-servers:
  my-server:
    type: http
    url: "https://my-server.example.com/mcp"
    auth:
      type: github-oidc
      audience: "https://my-server.example.com"
    allowed: ["*"]
$ gh aw compile workflow.md
✗ error: 'mcp-servers/my-server': Unknown properties: auth, url.

The oneOf discriminator between stdio_mcp_tool and http_mcp_tool fails because neither variant accepts auth, causing the validator to reject the entire object (including url, which produces a confusing error message).

Root Cause

PR #23611 (09d4edee74) added OIDC auth support to:

  • pkg/types/mcp.go (BaseMCPServerConfig.Auth)
  • pkg/workflow/mcp_config_custom.go (runtime parsing)
  • pkg/workflow/schemas/mcp-gateway-config.schema.json (gateway schema)
  • docs/public/schemas/mcp-gateway-config.schema.json (docs schema)

But did not update pkg/parser/schemas/main_workflow_schema.json (the frontmatter validation schema), so the compiler's schema validator rejects auth before the Go code ever sees it.

Expected Fix

Add auth to the http_mcp_tool definition in main_workflow_schema.json:

"http_mcp_tool": {
  "properties": {
    "type": { ... },
    "registry": { ... },
    "url": { ... },
    "headers": { ... },
    "allowed": { ... },
    "auth": {
      "type": "object",
      "description": "Upstream authentication config for HTTP MCP servers",
      "properties": {
        "type": {
          "type": "string",
          "enum": ["github-oidc"],
          "description": "Authentication type"
        },
        "audience": {
          "type": "string",
          "description": "OIDC audience claim (defaults to server URL)"
        }
      },
      "required": ["type"],
      "additionalProperties": false
    }
  },
  "required": ["url"],
  "additionalProperties": false
}

Impact

Any workflow using auth: type: github-oidc on an HTTP MCP server cannot compile. The documented example in docs/src/content/docs/guides/mcps.md (line ~104) does not work with the current compiler.

Versions

  • gh aw v0.65.6
  • Confirmed present on main at HEAD (f2bf5c6a48)

Metadata

Metadata

Assignees

Labels

community

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions