Reform Notion MCP guide for Kubernetes remote proxy support#1004
Open
danbarr wants to merge 2 commits into
Open
Reform Notion MCP guide for Kubernetes remote proxy support#1004danbarr wants to merge 2 commits into
danbarr wants to merge 2 commits into
Conversation
The K8s tab claimed the operator doesn't support remote MCP servers with OAuth, which hasn't been true for a long time. Replace the static-integration-key workaround with a verified MCPRemoteProxy + embedded authorization server setup. Notion's remote MCP server only supports Dynamic Client Registration for third-party OAuth clients, so the guide walks through minting persistent credentials via DCR instead of a dashboard app. Callouts cover two gotchas found while verifying this end to end: the issuer field must stay path-free, and the upstream redirectUri default computed from resourceUrl breaks once resourceUrl has a path.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Notion remote MCP server guide to correct Kubernetes guidance and document a working remote-proxy + embedded authorization server flow, including Dynamic Client Registration (DCR) for Notion’s OAuth client credentials.
Changes:
- Replaces the prior “static integration key” Kubernetes workaround with an
MCPRemoteProxy+MCPExternalAuthConfig(embedded auth server) setup. - Adds a DCR-based “mint persistent client credentials” step and expands Kubernetes-specific operational/troubleshooting guidance around sessions and OAuth flow debugging.
- Updates recommended practices/troubleshooting to reflect the embedded-auth-server session model and points external exposure guidance at
connect-clients.mdx.
Rephrase four spaced-hyphen sentence separators per the style guide.
Clarify why this guide sets redirectUri explicitly instead of relying
on the documented {resourceUrl}/oauth/callback default: that default
only works for a bare-host resourceUrl, and breaks once resourceUrl
has a path (as it does here), since the callback route is only ever
served at the host root. Cross-references the relevant auth-k8s.mdx
section instead of leaving the divergence unexplained.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The Kubernetes tab claimed the ToolHive operator doesn't support remote MCP servers with OAuth, which hasn't been true for a long time. Replaced the static-integration-key workaround with a verified
MCPRemoteProxy+ embedded authorization server setup.Notion's remote MCP server only supports Dynamic Client Registration for third-party OAuth clients, so the guide walks through minting persistent credentials via DCR instead of a dashboard app. Two callouts cover gotchas found while verifying this end to end against a real cluster and a real Notion account: the
issuerfield must stay path-free, and the upstreamredirectUridefault computed fromresourceUrlbreaks onceresourceUrlhas a path.Also updated the Overview, Recommended Practices, and Troubleshooting sections to reflect the embedded-auth-server session model instead of a bare pass-through, and pointed the "expose the proxy externally" reference at the more complete
connect-clients.mdxguide instead of a thinner duplicate section.Type of change
Related issues/PRs
N/A
Screenshots
N/A - no visual or sidebar changes.
Submitter checklist
Content and formatting
Reviewer checklist
Content