Skip to content

fix: restore Atlassian MCP OAuth by removing stale Passport dependency#1068

Merged
ct3685 merged 2 commits into
stagingfrom
ct/fix-atlassian-mcp-oauth-strategy
May 15, 2026
Merged

fix: restore Atlassian MCP OAuth by removing stale Passport dependency#1068
ct3685 merged 2 commits into
stagingfrom
ct/fix-atlassian-mcp-oauth-strategy

Conversation

@ct3685
Copy link
Copy Markdown

@ct3685 ct3685 commented May 15, 2026
edited
Loading

Summary

Commit 1 — fix: Atlassian MCP OAuth 500 error

  • Root cause: Commit 0ae736e41 intentionally disabled Passport.js session infrastructure when the AAI JWT/API-key auth system was integrated. The atlassian-dynamic Passport strategy was left in place but never ran because Passport was never initialized — causing a hard 500: Unknown authentication strategy "atlassian-dynamic" on every OAuth callback.
  • Fix: Removed Passport from the Atlassian auth flow entirely. Token exchange logic now lives directly in the controller using the already-existing utility functions exchangeCodeForTokens, createCompleteCredentialData, clearPendingRegistration from utils/index.ts.
  • Removed dead code: The GET /api/v1/atlassian-auth/ root route and authenticate controller method (both solely called passport.authenticate(...)) are gone.

Commit 2 — feat: pre-fetch cloudId context to prevent null cloudId errors (global fix for all Atlassian actions)

  • Root cause: The Atlassian Remote MCP server requires a cloudId parameter for almost every Jira/Confluence tool call (add_comment_to_jira_issue, search_jira_issues, create_jira_issue, write:confluence-content, etc.). Without upfront knowledge of it, the LLM would pass null, receive a -32602 validation error, then self-correct by calling get_accessible_resources before retrying — one wasted round-trip on every first call.
  • Fix is global across all Atlassian MCP actions: During getTools() initialization, the node invokes get_accessible_resources using its own MCPTool instance (no new MCP SDK imports), parses the cloud resource list, then iterates every tool returned by the MCP server and appends a cloudId hint to the description of any tool that declares a cloudId parameter in its zod schema. This covers all current and future Atlassian MCP tools automatically — no per-action changes needed.
    • Single site: [cloudId for this Atlassian site: "8ca3c755..." (lastrev — https://lastrev.atlassian.net)]
    • Multi-site: [Available Atlassian cloudIds: "8ca3c755..." → lastrev, "f08c36cd..." → lastrev-new]
  • Falls back silently if the pre-fetch fails, so no regression on errors.
  • Node version bumped 1.0 → 1.1.

Files changed

File Change
packages/server/src/controllers/atlassian-auth/index.ts Removed Passport; inlined OAuth flow using existing utilities; removed dead authenticate method
packages/server/src/routes/atlassian-auth/index.ts Removed Passport import and middleware; removed dead root route
packages/server/src/config/passport.ts Removed atlassian-dynamic CustomStrategy and its unused imports
packages/components/nodes/tools/MCP/Atlassian/AtlassianMcp.ts Added fetchCloudResources + enrichToolsWithCloudContext; bumped version to 1.1

OAuth callback flow (unchanged behavior)

  1. UI calls GET /api/v1/atlassian-auth/mcp-initialize → registers dynamic OAuth client, returns sessionId, client_id, authorization_endpoint, redirect_uri, scope
  2. UI opens popup → user authenticates → Atlassian redirects to /api/v1/atlassian-auth/callback?code=...&state=<sessionId>
  3. Controller exchanges code for tokens using stored client credentials → builds credential object → posts AUTH_SUCCESS to opener

Test plan

  • Start local dev server (pnpm dev)
  • Navigate to Credentials and create a new Atlassian MCP credential
  • Click "Connect with Atlassian" — popup opens and completes without 500 error
  • Save credential and add Atlassian MCP node to a chatflow
  • Verify the node's "Available Actions" dropdown loads correctly (cloudId hints visible in descriptions)
  • Run a Jira action (comment, search, create) — confirm it succeeds on the first attempt without a get_accessible_resources round-trip
  • Run a Confluence action — confirm same first-attempt success
  • Test with multiple Atlassian sites connected — confirm all cloudIds appear in the hint
  • Verify token refresh still works (refreshStoredCredentialTokens path unchanged)
  • Verify Salesforce and Google OAuth flows are unaffected

Target branch

staging

@ct3685
fix: restore Atlassian MCP OAuth by removing stale Passport dependency
1a05a24 
The atlassian-dynamic Passport strategy was registered in config/passport.ts
but passportConfig(passport) and passport.initialize() were intentionally
commented out in commit 0ae736e when the AAI JWT/API-key auth system was
integrated. This caused a hard 500 'Unknown authentication strategy' error
on every Atlassian OAuth callback.

- Inline token exchange directly in atlassianAuthCallback controller using
  the existing exchangeCodeForTokens, createCompleteCredentialData, and
  clearPendingRegistration utilities from utils/index.ts
- Remove passport.authenticate() middleware from the callback route
- Remove the dead GET / root route and authenticate controller method
- Remove the atlassian-dynamic CustomStrategy from config/passport.ts along
  with its now-unused passport-custom and mcp-metadata imports
@vercel
Copy link
Copy Markdown

vercel Bot commented May 15, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
answerai-docs Building Building Preview May 15, 2026 3:29pm
the-answerai Building Building Preview May 15, 2026 3:29pm

Request Review

@ct3685 ct3685 added the bug Something isn't working label May 15, 2026
@ct3685
feat: pre-fetch cloudId context in Atlassian MCP node to prevent null…
e891b58 
… cloudId errors

The Atlassian Remote MCP server requires a cloudId parameter for almost all
Jira/Confluence tool calls. Without knowing the cloudId upfront, the LLM would
pass null and receive a -32602 validation error, requiring a self-correcting
get_accessible_resources round-trip before it could proceed.

Fix: during getTools() initialization, invoke get_accessible_resources using
its own MCPTool instance (no new MCP SDK imports needed), parse the cloud
resource list, then append a cloudId hint to the description of every tool
that declares a cloudId parameter in its zod schema.

Single site: '[cloudId for this Atlassian site: "8ca3c755..." (lastrev)]'
Multi-site:  '[Available Atlassian cloudIds: "8ca3c755..." -> lastrev, ...]'

Falls back silently if the pre-fetch fails, so no regression on errors.
@ct3685 ct3685 added enhancement New feature or request dependencies Pull requests that update a dependency file minor-update backend Improvement labels May 15, 2026
@ct3685 ct3685 merged commit 00bae11 into staging May 15, 2026
5 of 8 checks passed
@ct3685 ct3685 deleted the ct/fix-atlassian-mcp-oauth-strategy branch May 15, 2026 16:12
@github-actions github-actions Bot mentioned this pull request May 15, 2026
Merged
ct3685 added a commit that referenced this pull request May 15, 2026
@github-actions @ct3685
chore(release): staging to production - 2026.05.15 (#1069)
e63301b 
## 🚀 Release: Staging to Production

**Release Date:** 2026-05-15

### Changes in this release

- fix: add missing KeyboardArrowDownIcon import (7d7216e)
- feat: collapsible template banner with count pill, green/amber
theming, always-green badge (#1074) (99e0c8b)
- feat: turn template banner green when all chatflows are up to date
(#1073) (7314af5)
- fix: reload page after bulk chatflow update and show in-progress state
(#1072) (5ca478d)
- fix: preserve workspaceId in bulkUpdateChatflows + optional template
name sync (#1071) (3e166d6)
- chore: update dependencies for improved compatibility and
functionality (#1070) (6451d83)
- fix: restore Atlassian MCP OAuth by removing stale Passport dependency
(#1068) (00bae11)

---
*This PR is automatically created/updated when commits are pushed to
staging.*
*Merging this PR will trigger the release workflow to create a new
GitHub release.*

---------

Co-authored-by: Cameron Taylor <50385537+ct3685@users.noreply.github.com>
Co-authored-by: Cameron Taylor <cameron@lastrev.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend bug Something isn't working dependencies Pull requests that update a dependency file enhancement New feature or request Improvement minor-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ct3685