Improved Auth Flow

[dcramer]

We need effectively two flows that are going to reuse the upstream Sentry OAuth consumption:

1. MCP-initiated, with the cloudflare oauth proxy and dynamic client registration
2. Self-initiated, allowing us to get your userId and bind it in a local web session

This allows us to associate all data within a durable object on the user's ID attribute. That object will contain a few concerns:

• a list of client IDs (MCP clients effectively)
• a default organization per client ID

Around (1) this will be auto populated and/or populated via an intermediate step as defined in #1.

For (2) this will give you effectively a "settings" screen (#3), which should also allow you to revoke an upstream token (unclear if thats possible yet today) - see also #2.

[dcramer]

Started PoC in feat/user-config

[dcramer]

Related #24

[jberends]

maybe allow authentication with your own API key?! Like all the other MCP's out there.

injectable as environment variable?

[dcramer]

PATs are already supported via stdio

[gardner]

I disabled this mcp because it would launch a browser window to authenticate with Sentry when I opened Claude Desktop. It was a bit jarring, especially when I didn't intend to use Sentry. I'll dig around in this repo for info on how to set up a PAT. I didn't see it in the docs.

[dcramer]

@gardner gotcha - yeah thats a bad experience. Hopefully clients will sort that out soon. I think VSCode for example doesnt have this issue (Insiders edition):

{
  "servers": {
    "sentry": {
      "url": "https://mcp.sentry.dev/mcp"
    }
  }
}

[gardner]

I found the PAT config in the README.

sentry-mcp/README.md

Line 36 in 84b5e74

npx @sentry/mcp-server@latest --access-token=sentry-pat --host=sentry.example.com

After I created an Access Token in my account, which I logged into using Google OIDC, Claude couldn't see my projects.

I tried to delete some projects to reduce the number of projects, thinking it might be a paging issue.

I needed a password to delete projects, so I reset the password and logged in using it. That's when I noticed there is a different instance (with a different URL) with different projects in it.

So, there are two accounts using the same email with different login methods. I was able to create an Access Token while logged into one account that only has access to projects in the other account.

This is understandable but somehow feels like it shouldn't be allowed. I think I submitted a help request using the web form but I haven't received a confirmation email, so now I am logging into a Discord which is something I usally try to avoid.

I really like Sentry. This is the first weird thing I've noticed with the service.

Thanks for coming to my TED talk. 🙏