fix: MCP OAuth token refresh, double DCR, and gpt_oss tool result error

- Persist discovered token_url in TokenData so token refresh works for
  servers using Dynamic Client Registration (fixes empty URL error)
- Reuse existing registered_client_id in OAuth start flow to prevent
  redundant DCR on repeated authentication attempts
- Only unpack tool result JSON content back to dict (not list/scalar)
  for gpt_oss, preventing Jinja2 |items filter failure on non-mappings

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: ChristianPraiss

omlx/admin/routes.py

@@ -4094,18 +4094,25 @@ async def start_mcp_authenticate(name: str, request: Request, is_admin: bool = D
         if not token_url:
             token_url = metadata.get("token_endpoint", "")
         if not client_id:
-            reg_endpoint = metadata.get("registration_endpoint")
-            if not reg_endpoint:
-                raise HTTPException(
-                    status_code=400,
-                    detail="OAuth server does not advertise a registration_endpoint. "
-                    "Set client_id explicitly in the server auth config.",
-                )
-            try:
-                client_id = await _register_dynamic_client(reg_endpoint, redirect_uri)
+            # Reuse a previously registered client_id if available (avoid redundant DCR)
+            from ..mcp.token_store import TokenStore
+            existing_token = TokenStore(cfg.auth.token_store if cfg.auth else None).load(name)
+            if existing_token and existing_token.registered_client_id:
+                client_id = existing_token.registered_client_id
                 registered_client_id = client_id
-            except Exception as exc:
-                raise HTTPException(status_code=502, detail=f"Dynamic Client Registration failed: {exc}")
+            else:
+                reg_endpoint = metadata.get("registration_endpoint")
+                if not reg_endpoint:
+                    raise HTTPException(
+                        status_code=400,
+                        detail="OAuth server does not advertise a registration_endpoint. "
+                        "Set client_id explicitly in the server auth config.",
+                    )
+                try:
+                    client_id = await _register_dynamic_client(reg_endpoint, redirect_uri)
+                    registered_client_id = client_id
+                except Exception as exc:
+                    raise HTTPException(status_code=502, detail=f"Dynamic Client Registration failed: {exc}")
 
     code_verifier = _generate_code_verifier()
     code_challenge = _generate_code_challenge(code_verifier)
@@ -4194,6 +4201,8 @@ async def mcp_oauth_callback(
         )
         if session.get("registered_client_id"):
             token.registered_client_id = session["registered_client_id"]
+        if session.get("token_url"):
+            token.token_url = session["token_url"]
 
         TokenStore().save(session["server_name"], token)
         logger.info("MCP OAuth complete for server '%s'", session["server_name"])

omlx/mcp/oauth.py

@@ -431,6 +431,14 @@ async def _do_refresh(
             payload["scope"] = " ".join(auth_config.scopes)
 
         token_url = auth_config.token_url
+        if not token_url and stored_token and stored_token.token_url:
+            token_url = stored_token.token_url
+        if not token_url:
+            raise OAuthError(
+                "Cannot refresh token: no token_url available. "
+                "Re-authenticate with 'omlx mcp login'."
+            )
+
         async with httpx.AsyncClient() as client:
             resp = await client.post(
                 token_url,
@@ -447,6 +455,9 @@ async def _do_refresh(
         # Propagate the registered client_id so it is persisted on re-save
         if stored_token and stored_token.registered_client_id:
             token.registered_client_id = stored_token.registered_client_id
+        # Propagate the discovered token_url so refresh keeps working
+        if stored_token and stored_token.token_url:
+            token.token_url = stored_token.token_url
         return token
 
 

omlx/mcp/token_store.py

@@ -36,6 +36,9 @@ class TokenData:
     # Persisted client_id obtained via Dynamic Client Registration (DCR).
     # Set when the server uses RFC 7591 auto-registration (e.g. Notion remote MCP).
     registered_client_id: Optional[str] = None
+    # Token endpoint URL discovered via RFC 8414 metadata.
+    # Persisted so token refresh works even when auth_config.token_url is empty.
+    token_url: Optional[str] = None
 
     @property
     def is_expired(self) -> bool:

omlx/server.py

@@ -2093,15 +2093,15 @@ async def create_chat_completion(
             # Append tool result turns
             for result_msg in tool_result_msgs:
                 msg = dict(result_msg)
-                # Harmony chat_template applies |tojson to content — keep as dict/list.
-                # Guard against json.loads returning None (e.g. "null") which would
-                # cause a TypeError in Jinja2 `in` containment checks on the template.
+                # Harmony chat_template applies |tojson to content — keep as dict.
+                # Only unpack JSON objects (dicts); lists and scalars stay as JSON
+                # strings to avoid the Jinja2 |items filter failing on non-mappings.
                 if engine.model_type == "gpt_oss":
                     content = msg.get("content", "")
                     if isinstance(content, str):
                         try:
                             parsed = json.loads(content)
-                            if parsed is not None:
+                            if isinstance(parsed, dict):
                                 msg["content"] = parsed
                         except (json.JSONDecodeError, ValueError):
                             pass
@@ -2788,15 +2788,15 @@ async def stream_chat_completion(
             # Append tool result turns
             for result_msg in tool_result_msgs:
                 msg = dict(result_msg)
-                # Harmony chat_template applies |tojson to content — keep as dict/list.
-                # Guard against json.loads returning None (e.g. "null") which would
-                # cause a TypeError in Jinja2 `in` containment checks on the template.
+                # Harmony chat_template applies |tojson to content — keep as dict.
+                # Only unpack JSON objects (dicts); lists and scalars stay as JSON
+                # strings to avoid the Jinja2 |items filter failing on non-mappings.
                 if engine.model_type == "gpt_oss":
                     content_val = msg.get("content", "")
                     if isinstance(content_val, str):
                         try:
                             parsed = json.loads(content_val)
-                            if parsed is not None:
+                            if isinstance(parsed, dict):
                                 msg["content"] = parsed
                         except (json.JSONDecodeError, ValueError):
                             pass