Fix ngrok invocation

- The OAUTH from ngrok could not be handled by OpenAI and was only haölf implemented. The policy file is the right way but it still wont detect it.. - Most importantly we trail the logs at the end of the script to avoid the script from terminating.
2025-10-11 12:32:03 +02:00 · 2025-10-11 12:32:03 +02:00 · 546c5ed0a7
parent 0a5c29c1ce
commit 546c5ed0a7
2 changed files with 22 additions and 28 deletions
--- a/scripts/oauth_policy.yml
+++ b/scripts/oauth_policy.yml
@ -0,0 +1,9 @@
+on_http_request:
+  - actions:
+    - type: oauth
+      config:
+        provider: google
+  - expressions:
+      - "!(actions.ngrok.oauth.identity.email in ['andre.heinecke@gmail.com'])"
+    actions:
+      - type: deny
--- a/scripts/run_mcp_ngrok.sh
+++ b/scripts/run_mcp_ngrok.sh
@ -20,10 +20,7 @@ Options:
                           (default: https://platform.openai.com).
  --ngrok-domain DOMAIN    Reserved ngrok domain to use (optional).
  --ngrok-region REGION    ngrok region code (optional).
-  --ngrok-oauth-provider PROVIDER   Enable ngrok OAuth (e.g. google, github).
-  --ngrok-oauth-allow-email EMAIL  Restrict OAuth to a specific email (repeatable).
-  --ngrok-oauth-allow-domain DOMAIN Restrict OAuth to an email domain (repeatable).
-  --ngrok-oauth-scope SCOPE        Additional OAuth scope (repeatable).
+  --ngrok-oauth-policy-file PROVIDER   Enable ngrok OAuth (e.g. google, github).
  --ngrok-inspect true|false    Enable ngrok inspector (default: false).
  --mcp-arg ARG             Extra argument passed to mcp-browser (repeatable).
  --ngrok-arg ARG           Extra argument passed to ngrok (repeatable).
@ -47,11 +44,9 @@ HTTP_PATH="/mcp"
 ALLOW_ORIGIN="https://platform.openai.com"
 NGROK_DOMAIN=""
 NGROK_REGION=""
-NGROK_OAUTH_PROVIDER=""
-NGROK_OAUTH_ALLOW_EMAILS=()
-NGROK_OAUTH_ALLOW_DOMAINS=()
-NGROK_OAUTH_SCOPES=()
-NGROK_INSPECT="false"
+NGROK_OAUTH_POLICY_FILE=""
+#""$(dirname $0)/oauth_policy.yml"
+NGROK_INSPECT="true"
 MCP_EXTRA_ARGS=()
 NGROK_EXTRA_ARGS=()

@ -73,14 +68,8 @@ while [[ $# -gt 0 ]]; do
      NGROK_DOMAIN=$2; shift 2;;
    --ngrok-region)
      NGROK_REGION=$2; shift 2;;
-    --ngrok-oauth-provider)
-      NGROK_OAUTH_PROVIDER=$2; shift 2;;
-    --ngrok-oauth-allow-email)
-      NGROK_OAUTH_ALLOW_EMAILS+=("$2"); shift 2;;
-    --ngrok-oauth-allow-domain)
-      NGROK_OAUTH_ALLOW_DOMAINS+=("$2"); shift 2;;
-    --ngrok-oauth-scope)
-      NGROK_OAUTH_SCOPES+=("$2"); shift 2;;
+    --ngrok-oauth-policy-file)
+      NGROK_OAUTH_POLICY_FILE=$2; shift 2;;
    --ngrok-inspect)
      NGROK_INSPECT=$2; shift 2;;
    --mcp-arg)
@ -178,6 +167,7 @@ fi

 NGROK_CMD=("$NGROK_BIN" http "http://$HTTP_HOST:$HTTP_PORT")
 NGROK_CMD+=(--request-header-add "X-MCP-Gateway:true")
+NGROK_CMD+=(--request-header-add "ngrok-skip-browser-warning:1")
 NGROK_CMD+=(--response-header-add "Cache-Control:no-store")
 NGROK_CMD+=(--inspect="$NGROK_INSPECT")
 if [[ -n "$NGROK_DOMAIN" ]]; then
@ -186,18 +176,10 @@ fi
 if [[ -n "$NGROK_REGION" ]]; then
  NGROK_CMD+=(--region "$NGROK_REGION")
 fi
-if [[ -n "$NGROK_OAUTH_PROVIDER" ]]; then
-  NGROK_CMD+=(--oauth="$NGROK_OAUTH_PROVIDER")
-  for email in "${NGROK_OAUTH_ALLOW_EMAILS[@]}"; do
-    NGROK_CMD+=(--oauth-allow-email "$email")
-  done
-  for domain in "${NGROK_OAUTH_ALLOW_DOMAINS[@]}"; do
-    NGROK_CMD+=(--oauth-allow-domain "$domain")
-  done
-  for scope in "${NGROK_OAUTH_SCOPES[@]}"; do
-    NGROK_CMD+=(--oauth-scope "$scope")
-  done
+if [[ -n "$NGROK_OAUTH_POLICY_FILE" ]]; then
+  NGROK_CMD+=(--traffic-policy-file=$NGROK_OAUTH_POLICY_FILE)
 fi
+
 [[ ${#NGROK_EXTRA_ARGS[@]} -gt 0 ]] && NGROK_CMD+=("${NGROK_EXTRA_ARGS[@]}")

 "${NGROK_CMD[@]}" >"$NGROK_LOG" 2>&1 &
@ -242,3 +224,6 @@ Local logs:

 Press Ctrl+C to stop.
 EOF
+
+echo "Showing log files"
+tail -f $MCP_LOG $NGROK_LOG