codex - 💡(How to fix) Fix codex mcp login appears to require dynamic client registration for private OAuth MCP servers; cannot use pre-registered client identity [1 participants]

Description

I’m seeing an interoperability problem between Codex MCP OAuth login and a private remote MCP server that uses FastMCP (Python) with Okta-backed OAuth.

The server is internal/non-public, so I can’t share the real URL or tenant details, but the behavior is consistent and reproducible with a sanitized config.

The key issue seems to be that Codex is attempting Dynamic Client Registration (DCR), while this server/IdP setup works with a pre-registered OAuth client in other MCP clients.

A fixed callback port is not enough to make this work in Codex.

Environment

What version of Codex CLI is running?

codex-cli 0.122.0

What platform is your computer?

macOS 26.4.1 (build 25E253), arm64

Darwin 25.4.0

What issue are you seeing?

With this config:

mcp_oauth_callback_port = 8080

[mcp_servers.private_internal]
url = "https://redacted.example.internal/mcp"
enabled = true

running:

codex mcp login private_internal

fails with:

Error: Registration failed: Dynamic registration failed: Registration failed: HTTP 403 Forbidden: {"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"<redacted>","errorCauses":[]}

This server is a private FastMCP-based streamable HTTP MCP server using Okta for OAuth.

The same server works in another MCP client when configured with a pre-registered OAuth client identity and a fixed callback port.

What I expected

One of these should work:

1. Codex completes OAuth successfully against this server.
2. Codex allows configuring a pre-registered/static OAuth client identity per MCP server.
3. Codex emits a clearer error indicating that this server requires a pre-registered client and that Codex currently only supports DCR for this flow.

What actually happened

Codex appears to attempt Dynamic Client Registration and fails before a usable browser auth flow completes.

Changing the callback port to a fixed value (mcp_oauth_callback_port = 8080) did not change the outcome.

Additional context

This looks related to other Codex MCP OAuth issues involving DCR assumptions and nontrivial OAuth servers:

• Slack official MCP: Codex fails with Dynamic client registration not supported https://github.com/openai/codex/issues/13200

• Supabase MCP: Codex attempted dynamic registration / generated an authorize URL, but the flow was incompatible with the server’s actual expectations https://github.com/openai/codex/issues/5254

From the Codex docs, I could find support for:

• codex mcp login
• mcp_oauth_callback_port
• mcp_oauth_callback_url
• per-server scopes
• per-server oauth_resource

But I could not find a documented way to provide a per-server static OAuth client id / client identity for MCP login.

Why this matters

There are private enterprise MCP servers that are OAuth-protected but do not behave like public DCR-friendly endpoints. If Codex only supports DCR here, that blocks otherwise valid MCP integrations.

Request

Please clarify whether Codex MCP OAuth login is expected to support:

• private OAuth MCP servers backed by Okta
• pre-registered/static OAuth client identities
• FastMCP-based remote servers that do not support Codex-style DCR assumptions

If not, it would help to either:

• add support for per-server static client configuration, or
• document that limitation explicitly and fail with a more precise error.