From b7b107302bf7dbfd2eaf4a865623e1c0a9e3022b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 22 May 2026 20:10:21 +0000
Subject: [PATCH 1/2] Apply remaining changes

---
 README.md                     |  1 +
 cmd/github-mcp-server/main.go |  3 +++
 docs/streamable-http.md       | 10 ++++++++++
 pkg/http/server.go            |  9 +++++++--
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index b387b61f15..747f3daa40 100644
--- a/README.md
+++ b/README.md
@@ -246,6 +246,7 @@ the hostname for GitHub Enterprise Server or GitHub Enterprise Cloud with data r
 
 - For GitHub Enterprise Server, prefix the hostname with the `https://` URI scheme, as it otherwise defaults to `http://`, which GitHub Enterprise Server does not support.
 - For GitHub Enterprise Cloud with data residency, use `https://YOURSUBDOMAIN.ghe.com` as the hostname.
+- If your OAuth authorization server is different from `<host>/login/oauth`, set `--authorization-server` or `GITHUB_AUTHORIZATION_SERVER`.
 
 ``` json
 "github": {
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
index ab8b27bb3c..90690c1f12 100644
--- a/cmd/github-mcp-server/main.go
+++ b/cmd/github-mcp-server/main.go
@@ -139,6 +139,7 @@ var (
 				Host:                 viper.GetString("host"),
 				Port:                 viper.GetInt("port"),
 				BaseURL:              viper.GetString("base-url"),
+				AuthorizationServer:  viper.GetString("authorization-server"),
 				ResourcePath:         viper.GetString("base-path"),
 				ExportTranslations:   viper.GetBool("export-translations"),
 				EnableCommandLogging: viper.GetBool("enable-command-logging"),
@@ -184,6 +185,7 @@ func init() {
 	// HTTP-specific flags
 	httpCmd.Flags().Int("port", 8082, "HTTP server port")
 	httpCmd.Flags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
+	httpCmd.Flags().String("authorization-server", "", "OAuth authorization server URL override (for OAuth resource metadata)")
 	httpCmd.Flags().String("base-path", "", "Externally visible base path for the HTTP server (for OAuth resource metadata)")
 	httpCmd.Flags().Bool("scope-challenge", false, "Enable OAuth scope challenge responses")
 
@@ -203,6 +205,7 @@ func init() {
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
 	_ = viper.BindPFlag("port", httpCmd.Flags().Lookup("port"))
 	_ = viper.BindPFlag("base-url", httpCmd.Flags().Lookup("base-url"))
+	_ = viper.BindPFlag("authorization-server", httpCmd.Flags().Lookup("authorization-server"))
 	_ = viper.BindPFlag("base-path", httpCmd.Flags().Lookup("base-path"))
 	_ = viper.BindPFlag("scope-challenge", httpCmd.Flags().Lookup("scope-challenge"))
 	// Add subcommands
diff --git a/docs/streamable-http.md b/docs/streamable-http.md
index 0a11c5ea76..afc387dd9c 100644
--- a/docs/streamable-http.md
+++ b/docs/streamable-http.md
@@ -59,6 +59,16 @@ The OAuth protected resource metadata's `resource` attribute will be populated w
 
 This allows OAuth clients to discover authentication requirements and endpoint information automatically.
 
+### With Custom OAuth Authorization Server
+
+If your GHES deployment requires a non-default OAuth authorization server URL, override it explicitly:
+
+```bash
+github-mcp-server http --gh-host https://ghe.example.com --authorization-server https://auth.ghe.example.com/login/oauth
+```
+
+You can also set this via `GITHUB_AUTHORIZATION_SERVER`.
+
 ## Client Configuration
 
 ### Using OAuth Authentication
diff --git a/pkg/http/server.go b/pkg/http/server.go
index 6fd19a8b9b..f9d0b415be 100644
--- a/pkg/http/server.go
+++ b/pkg/http/server.go
@@ -39,6 +39,10 @@ type ServerConfig struct {
 	// If not set, the server will derive the URL from incoming request headers.
 	BaseURL string
 
+	// AuthorizationServer is the OAuth authorization server URL advertised in OAuth
+	// protected resource metadata. If empty, it is derived from the GitHub host.
+	AuthorizationServer string
+
 	// ResourcePath is the externally visible base path for this server (e.g., "/mcp").
 	// This is used to restore the original path when a proxy strips a base path before forwarding.
 	ResourcePath string
@@ -150,8 +154,9 @@ func RunHTTPServer(cfg ServerConfig) error {
 
 	// Register OAuth protected resource metadata endpoints
 	oauthCfg := &oauth.Config{
-		BaseURL:      cfg.BaseURL,
-		ResourcePath: cfg.ResourcePath,
+		BaseURL:             cfg.BaseURL,
+		AuthorizationServer: cfg.AuthorizationServer,
+		ResourcePath:        cfg.ResourcePath,
 	}
 
 	serverOptions := []HandlerOption{}

From 3fe69e6f191c448ec12cdf1ea5f14c7a239d84dd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 22 May 2026 20:19:36 +0000
Subject: [PATCH 2/2] Use host-derived OAuth authorization server only

---
 README.md                     |  1 -
 cmd/github-mcp-server/main.go |  3 ---
 docs/streamable-http.md       | 10 ----------
 pkg/http/server.go            |  9 ++-------
 4 files changed, 2 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 747f3daa40..b387b61f15 100644
--- a/README.md
+++ b/README.md
@@ -246,7 +246,6 @@ the hostname for GitHub Enterprise Server or GitHub Enterprise Cloud with data r
 
 - For GitHub Enterprise Server, prefix the hostname with the `https://` URI scheme, as it otherwise defaults to `http://`, which GitHub Enterprise Server does not support.
 - For GitHub Enterprise Cloud with data residency, use `https://YOURSUBDOMAIN.ghe.com` as the hostname.
-- If your OAuth authorization server is different from `<host>/login/oauth`, set `--authorization-server` or `GITHUB_AUTHORIZATION_SERVER`.
 
 ``` json
 "github": {
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
index 90690c1f12..ab8b27bb3c 100644
--- a/cmd/github-mcp-server/main.go
+++ b/cmd/github-mcp-server/main.go
@@ -139,7 +139,6 @@ var (
 				Host:                 viper.GetString("host"),
 				Port:                 viper.GetInt("port"),
 				BaseURL:              viper.GetString("base-url"),
-				AuthorizationServer:  viper.GetString("authorization-server"),
 				ResourcePath:         viper.GetString("base-path"),
 				ExportTranslations:   viper.GetBool("export-translations"),
 				EnableCommandLogging: viper.GetBool("enable-command-logging"),
@@ -185,7 +184,6 @@ func init() {
 	// HTTP-specific flags
 	httpCmd.Flags().Int("port", 8082, "HTTP server port")
 	httpCmd.Flags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
-	httpCmd.Flags().String("authorization-server", "", "OAuth authorization server URL override (for OAuth resource metadata)")
 	httpCmd.Flags().String("base-path", "", "Externally visible base path for the HTTP server (for OAuth resource metadata)")
 	httpCmd.Flags().Bool("scope-challenge", false, "Enable OAuth scope challenge responses")
 
@@ -205,7 +203,6 @@ func init() {
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
 	_ = viper.BindPFlag("port", httpCmd.Flags().Lookup("port"))
 	_ = viper.BindPFlag("base-url", httpCmd.Flags().Lookup("base-url"))
-	_ = viper.BindPFlag("authorization-server", httpCmd.Flags().Lookup("authorization-server"))
 	_ = viper.BindPFlag("base-path", httpCmd.Flags().Lookup("base-path"))
 	_ = viper.BindPFlag("scope-challenge", httpCmd.Flags().Lookup("scope-challenge"))
 	// Add subcommands
diff --git a/docs/streamable-http.md b/docs/streamable-http.md
index afc387dd9c..0a11c5ea76 100644
--- a/docs/streamable-http.md
+++ b/docs/streamable-http.md
@@ -59,16 +59,6 @@ The OAuth protected resource metadata's `resource` attribute will be populated w
 
 This allows OAuth clients to discover authentication requirements and endpoint information automatically.
 
-### With Custom OAuth Authorization Server
-
-If your GHES deployment requires a non-default OAuth authorization server URL, override it explicitly:
-
-```bash
-github-mcp-server http --gh-host https://ghe.example.com --authorization-server https://auth.ghe.example.com/login/oauth
-```
-
-You can also set this via `GITHUB_AUTHORIZATION_SERVER`.
-
 ## Client Configuration
 
 ### Using OAuth Authentication
diff --git a/pkg/http/server.go b/pkg/http/server.go
index f9d0b415be..6fd19a8b9b 100644
--- a/pkg/http/server.go
+++ b/pkg/http/server.go
@@ -39,10 +39,6 @@ type ServerConfig struct {
 	// If not set, the server will derive the URL from incoming request headers.
 	BaseURL string
 
-	// AuthorizationServer is the OAuth authorization server URL advertised in OAuth
-	// protected resource metadata. If empty, it is derived from the GitHub host.
-	AuthorizationServer string
-
 	// ResourcePath is the externally visible base path for this server (e.g., "/mcp").
 	// This is used to restore the original path when a proxy strips a base path before forwarding.
 	ResourcePath string
@@ -154,9 +150,8 @@ func RunHTTPServer(cfg ServerConfig) error {
 
 	// Register OAuth protected resource metadata endpoints
 	oauthCfg := &oauth.Config{
-		BaseURL:             cfg.BaseURL,
-		AuthorizationServer: cfg.AuthorizationServer,
-		ResourcePath:        cfg.ResourcePath,
+		BaseURL:      cfg.BaseURL,
+		ResourcePath: cfg.ResourcePath,
 	}
 
 	serverOptions := []HandlerOption{}