New request
#20296: ChatGPT Apps OAuth connect flow does not complete for Twenty MCP
We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.
Summary
Creating a ChatGPT app/connector against the Twenty MCP endpoint with OAuth support does not complete the connection flow. ChatGPT shows the app as OAuth-supported, but after clicking Connect, the app remains disconnected and shows no actions.
Reproduction
- In ChatGPT, enable Developer Mode for Apps/Connectors.
- Create a new app with:
- Name:
Twenty - MCP Server URL:
https://api.twenty.com/mcp - Authentication:
OAuth
- Name:
- Open the app details page.
- Click
Connect.
Observed behavior
- ChatGPT shows the app as OAuth-supported.
- The app details page still shows the
Connectbutton after the flow. ActionssaysNo app actions available yet.- The connection does not appear to reach a completed authenticated state.
Expected behavior
- ChatGPT should redirect/open the Twenty OAuth authorization page.
- After the user authorizes, ChatGPT should complete the OAuth callback.
- The app should show as connected and expose Twenty MCP tools/actions.
Endpoint checks
The public endpoints appear reachable:
GET https://api.twenty.com/.well-known/oauth-protected-resource/mcpreturns protected resource metadata with:resource: https://api.twenty.com/mcpauthorization_servers: ["https://api.twenty.com"]- scopes
api profile
GET https://api.twenty.com/.well-known/oauth-authorization-serverreturns OAuth discovery metadata with:authorization_endpoint: https://app.twenty.com/authorizetoken_endpoint: https://api.twenty.com/oauth/tokenregistration_endpoint: https://api.twenty.com/oauth/registercode_challenge_methods_supported: ["S256"]
- Dynamic client registration succeeds with
201when posting tohttps://api.twenty.com/oauth/register. - The generated
https://app.twenty.com/authorize?...URL serves the Twenty frontend.
Suspected issue
This may be an MCP OAuth compatibility issue around the OAuth resource parameter.
In the current code, the authorize page parses client_id, code_challenge, redirect_uri, and state, but does not preserve resource:
packages/twenty-front/src/pages/auth/Authorize.tsx
The authorization code context stores redirect URI, client id, scope, and PKCE challenge, but not the requested resource:
packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts
The token endpoint input/exchange path also does not accept or validate a resource parameter:
packages/twenty-server/src/engine/core-modules/application/application-oauth/dtos/oauth-token.input.tspackages/twenty-server/src/engine/core-modules/application/application-oauth/controllers/oauth-token.controller.tspackages/twenty-server/src/engine/core-modules/application/application-oauth/oauth.service.ts
If ChatGPT sends resource=https://api.twenty.com/mcp during authorization/token exchange, Twenty may need to preserve and validate that value through the OAuth flow.
Notes
A local patch was briefly tested to pass resource from /authorize into the authorization-code context and validate it during token exchange, but it was reverted pending issue tracking and review.
OAuth MCP integration failure spans backend authorization-server metadata, callback handling, and potentially frontend redirect logic.
- packages/twenty-server/src/engine/core-modules/mcp/mcp.controller.ts
- packages/twenty-server/src/engine/core-modules/auth/oauth/oauth.service.ts
- packages/twenty-server/src/engine/core-modules/auth/authorization-server/authorization-server.service.ts
- packages/twenty-front/src/pages/authorize.tsx
- packages/twenty-server/src/engine/core-modules/auth/strategies/oauth.strategy.ts