github →

New request

#20296: ChatGPT Apps OAuth connect flow does not complete for Twenty MCP

We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.

Issue
sonarly:high

Summary

Creating a ChatGPT app/connector against the Twenty MCP endpoint with OAuth support does not complete the connection flow. ChatGPT shows the app as OAuth-supported, but after clicking Connect, the app remains disconnected and shows no actions.

Reproduction

  1. In ChatGPT, enable Developer Mode for Apps/Connectors.
  2. Create a new app with:
    • Name: Twenty
    • MCP Server URL: https://api.twenty.com/mcp
    • Authentication: OAuth
  3. Open the app details page.
  4. Click Connect.

Observed behavior

  • ChatGPT shows the app as OAuth-supported.
  • The app details page still shows the Connect button after the flow.
  • Actions says No app actions available yet.
  • The connection does not appear to reach a completed authenticated state.

Expected behavior

  • ChatGPT should redirect/open the Twenty OAuth authorization page.
  • After the user authorizes, ChatGPT should complete the OAuth callback.
  • The app should show as connected and expose Twenty MCP tools/actions.

Endpoint checks

The public endpoints appear reachable:

  • GET https://api.twenty.com/.well-known/oauth-protected-resource/mcp returns protected resource metadata with:
    • resource: https://api.twenty.com/mcp
    • authorization_servers: ["https://api.twenty.com"]
    • scopes api profile
  • GET https://api.twenty.com/.well-known/oauth-authorization-server returns OAuth discovery metadata with:
    • authorization_endpoint: https://app.twenty.com/authorize
    • token_endpoint: https://api.twenty.com/oauth/token
    • registration_endpoint: https://api.twenty.com/oauth/register
    • code_challenge_methods_supported: ["S256"]
  • Dynamic client registration succeeds with 201 when posting to https://api.twenty.com/oauth/register.
  • The generated https://app.twenty.com/authorize?... URL serves the Twenty frontend.

Suspected issue

This may be an MCP OAuth compatibility issue around the OAuth resource parameter.

In the current code, the authorize page parses client_id, code_challenge, redirect_uri, and state, but does not preserve resource:

  • packages/twenty-front/src/pages/auth/Authorize.tsx

The authorization code context stores redirect URI, client id, scope, and PKCE challenge, but not the requested resource:

  • packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts

The token endpoint input/exchange path also does not accept or validate a resource parameter:

  • packages/twenty-server/src/engine/core-modules/application/application-oauth/dtos/oauth-token.input.ts
  • packages/twenty-server/src/engine/core-modules/application/application-oauth/controllers/oauth-token.controller.ts
  • packages/twenty-server/src/engine/core-modules/application/application-oauth/oauth.service.ts

If ChatGPT sends resource=https://api.twenty.com/mcp during authorization/token exchange, Twenty may need to preserve and validate that value through the OAuth flow.

Notes

A local patch was briefly tested to pass resource from /authorize into the authorization-code context and validate it during token exchange, but it was reverted pending issue tracking and review.

Assessmentadvisory
bug●●● hard80% confidence

OAuth MCP integration failure spans backend authorization-server metadata, callback handling, and potentially frontend redirect logic.

Likely files
  • packages/twenty-server/src/engine/core-modules/mcp/mcp.controller.ts
  • packages/twenty-server/src/engine/core-modules/auth/oauth/oauth.service.ts
  • packages/twenty-server/src/engine/core-modules/auth/authorization-server/authorization-server.service.ts
  • packages/twenty-front/src/pages/authorize.tsx
  • packages/twenty-server/src/engine/core-modules/auth/strategies/oauth.strategy.ts
Create the request

This opens a fresh agent run and a draft PR for issue #20296.

Cancel