Use host-derived OAuth authorization server only

Copilot · web-flow · commit 3fe69e6f191c · 2026-05-22T20:19:36.000Z
diff --git a/README.md b/README.md
@@ -246,7 +246,6 @@ the hostname for GitHub Enterprise Server or GitHub Enterprise Cloud with data r
 
 - For GitHub Enterprise Server, prefix the hostname with the `https://` URI scheme, as it otherwise defaults to `http://`, which GitHub Enterprise Server does not support.
 - For GitHub Enterprise Cloud with data residency, use `https://YOURSUBDOMAIN.ghe.com` as the hostname.
-- If your OAuth authorization server is different from `<host>/login/oauth`, set `--authorization-server` or `GITHUB_AUTHORIZATION_SERVER`.
 
 ``` json
 "github": {
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -139,7 +139,6 @@ var (
 				Host:                 viper.GetString("host"),
 				Port:                 viper.GetInt("port"),
 				BaseURL:              viper.GetString("base-url"),
-				AuthorizationServer:  viper.GetString("authorization-server"),
 				ResourcePath:         viper.GetString("base-path"),
 				ExportTranslations:   viper.GetBool("export-translations"),
 				EnableCommandLogging: viper.GetBool("enable-command-logging"),
@@ -185,7 +184,6 @@ func init() {
 	// HTTP-specific flags
 	httpCmd.Flags().Int("port", 8082, "HTTP server port")
 	httpCmd.Flags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
-	httpCmd.Flags().String("authorization-server", "", "OAuth authorization server URL override (for OAuth resource metadata)")
 	httpCmd.Flags().String("base-path", "", "Externally visible base path for the HTTP server (for OAuth resource metadata)")
 	httpCmd.Flags().Bool("scope-challenge", false, "Enable OAuth scope challenge responses")
 
@@ -205,7 +203,6 @@ func init() {
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
 	_ = viper.BindPFlag("port", httpCmd.Flags().Lookup("port"))
 	_ = viper.BindPFlag("base-url", httpCmd.Flags().Lookup("base-url"))
-	_ = viper.BindPFlag("authorization-server", httpCmd.Flags().Lookup("authorization-server"))
 	_ = viper.BindPFlag("base-path", httpCmd.Flags().Lookup("base-path"))
 	_ = viper.BindPFlag("scope-challenge", httpCmd.Flags().Lookup("scope-challenge"))
 	// Add subcommands
diff --git a/docs/streamable-http.md b/docs/streamable-http.md
@@ -59,16 +59,6 @@ The OAuth protected resource metadata's `resource` attribute will be populated w
 
 This allows OAuth clients to discover authentication requirements and endpoint information automatically.
 
-### With Custom OAuth Authorization Server
-
-If your GHES deployment requires a non-default OAuth authorization server URL, override it explicitly:
-
-```bash
-github-mcp-server http --gh-host https://ghe.example.com --authorization-server https://auth.ghe.example.com/login/oauth
-```
-
-You can also set this via `GITHUB_AUTHORIZATION_SERVER`.
-
 ## Client Configuration
 
 ### Using OAuth Authentication
diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -39,10 +39,6 @@ type ServerConfig struct {
 	// If not set, the server will derive the URL from incoming request headers.
 	BaseURL string
 
-	// AuthorizationServer is the OAuth authorization server URL advertised in OAuth
-	// protected resource metadata. If empty, it is derived from the GitHub host.
-	AuthorizationServer string
-
 	// ResourcePath is the externally visible base path for this server (e.g., "/mcp").
 	// This is used to restore the original path when a proxy strips a base path before forwarding.
 	ResourcePath string
@@ -154,9 +150,8 @@ func RunHTTPServer(cfg ServerConfig) error {
 
 	// Register OAuth protected resource metadata endpoints
 	oauthCfg := &oauth.Config{
-		BaseURL:             cfg.BaseURL,
-		AuthorizationServer: cfg.AuthorizationServer,
-		ResourcePath:        cfg.ResourcePath,
+		BaseURL:      cfg.BaseURL,
+		ResourcePath: cfg.ResourcePath,
 	}
 
 	serverOptions := []HandlerOption{}
