OAuth authentication fails with Temporal MCP server using Google-based anonymous authentication

[piotrmucha]

Describe the bug

When attempting to configure the Temporal documentation MCP server (https://temporal.mcp.kapa.ai) in GitHub Copilot CLI, the OAuth authentication flow fails with a server error despite the MCP server being correctly configured.

The Temporal MCP server uses anonymous authentication via Google OAuth for rate limiting purposes (as documented at https://docs.temporal.io/with-ai). While the OAuth discovery phase completes successfully (authorization server is detected and client ID is generated), the actual Google authentication callback returns an error.

Authorization Failed
An unexpected error occurred

Browser callback shows:
http://127.0.0.1:54428/?error=server_error&error_description=An+unexpected+error+occurred&state=GtnP-jKGQzPNrs7GO6hHlGkdrvDxSOeS6U3nvaOpSvM

This issue appears to be a compatibility problem between Copilot CLI's OAuth implementation and the specific Google-based anonymous authentication pattern used by the Temporal MCP server.

Affected version

0.0.402

Steps to reproduce the behavior

1. Create or edit ~/.copilot/mcp-config.json with the following content:

{
  "mcpServers": {
    "temporal": {
      "type": "http",
      "url": "https://temporal.mcp.kapa.ai",
      "tools": ["*"],
      "headers": {}
    }
  }
}

2. Start Copilot CLI
3. Observe the OAuth authentication prompt:

Server Saved

OAuth authentication is required for temporal.

Press Enter to open browser and authenticate 

4. Press Enter to open the browser for authentication
5. Observer error:

• Browser opens with URL: http://127.0.0.1:54428/?error=server_error&error_description=An+unexpected+error+occurred&state=...
• Message displayed: "Authorization Failed: An unexpected error occurred"

What's working:

• OAuth discovery phase completes successfully
• Files created in ~/.copilot/mcp-oauth-config/:

dc8640877498037fb5c73919aa48495575895f2afed1802c6acd8956d6dd7c9f.json
dc8640877498037fb5c73919aa48495575895f2afed1802c6acd8956d6dd7c9f.verifier

• OAuth configuration correctly identifies authorization server: https://mcp.kapa.ai/auth/google

Expected behavior

• Auth authentication flow should complete successfully with Google authentication
• User should be able to authenticate anonymously using their Google account
• After authentication, the Temporal MCP server tools should be available in Copilot CLI
• The authentication experience should match what works in Claude Desktop and Claude Code (both confirmed working with the same Temporal MCP server), and it works also correctly with Cursor.

This confirms the issue is specific to Copilot CLI's OAuth implementation rather than the MCP server itself.

Additional context

Operating system: macOS
Terminal emulator: native macos terminal
Shell: zsh