Update OAuth examples to always include client secret

- Remove "optional" language for client secret
- Add client secret to all code examples
- Update CLI flag description to say "recommended"
- Update code comment from "Optional" to "Recommended"
- Align with best practice that GitHub OAuth apps should provide both ID and secret

Co-authored-by: SamMorrowDrums <4811358+SamMorrowDrums@users.noreply.github.com>

Author: Copilot

README.md

@@ -201,20 +201,25 @@ For stdio mode (local binary execution), you can use OAuth 2.1 with PKCE instead
 ```bash
 # 1. Create GitHub OAuth App at https://github.com/settings/developers
 # 2. Run with Docker (device flow automatic)
-docker run -i --rm -e GITHUB_OAUTH_CLIENT_ID=your_client_id ghcr.io/github/github-mcp-server
+docker run -i --rm \
+  -e GITHUB_OAUTH_CLIENT_ID=your_client_id \
+  -e GITHUB_OAUTH_CLIENT_SECRET=your_client_secret \
+  ghcr.io/github/github-mcp-server
 # → Displays: Visit https://github.com/login/device and enter code: ABCD-1234
 ```
 
 **Option 2: Interactive Flow (Best UX)**
 ```bash
 # For native binary
 export GITHUB_OAUTH_CLIENT_ID=your_client_id
+export GITHUB_OAUTH_CLIENT_SECRET=your_client_secret
 ./github-mcp-server stdio
 # → Browser opens automatically
 
 # For Docker with port binding (requires setup in OAuth app callback)
 docker run -i --rm -p 8080:8080 \
   -e GITHUB_OAUTH_CLIENT_ID=your_client_id \
+  -e GITHUB_OAUTH_CLIENT_SECRET=your_client_secret \
   -e GITHUB_OAUTH_CALLBACK_PORT=8080 \
   ghcr.io/github/github-mcp-server
 # → Browser opens automatically (callback works via bound port)
@@ -226,12 +231,11 @@ docker run -i --rm -p 8080:8080 \
    - For native binary: Set callback URL to `http://localhost` (port is dynamic)
    - For Docker with port binding: Set callback URL to `http://localhost:PORT/callback` (your chosen port)
    - For Docker with device flow: No callback URL needed
-   - For public clients, you can use PKCE without a client secret
 
 2. Set your OAuth app credentials:
    ```bash
    export GITHUB_OAUTH_CLIENT_ID=your_client_id
-   export GITHUB_OAUTH_CLIENT_SECRET=your_client_secret  # Optional for public clients with PKCE
+   export GITHUB_OAUTH_CLIENT_SECRET=your_client_secret
    ```
 
 3. Run the server without a PAT:
@@ -240,11 +244,15 @@ docker run -i --rm -p 8080:8080 \
    ./github-mcp-server stdio
 
    # Docker - device flow (automatic)
-   docker run -i --rm -e GITHUB_OAUTH_CLIENT_ID=your_client_id ghcr.io/github/github-mcp-server
+   docker run -i --rm \
+     -e GITHUB_OAUTH_CLIENT_ID=your_client_id \
+     -e GITHUB_OAUTH_CLIENT_SECRET=your_client_secret \
+     ghcr.io/github/github-mcp-server
 
    # Docker with port binding - interactive PKCE flow
    docker run -i --rm -p 8080:8080 \
      -e GITHUB_OAUTH_CLIENT_ID=your_client_id \
+     -e GITHUB_OAUTH_CLIENT_SECRET=your_client_secret \
      -e GITHUB_OAUTH_CALLBACK_PORT=8080 \
      ghcr.io/github/github-mcp-server
    ```
@@ -254,13 +262,16 @@ The server will automatically detect the environment and use the appropriate OAu
 #### OAuth Configuration Options
 
 - `--oauth-client-id` / `GITHUB_OAUTH_CLIENT_ID` - Your GitHub OAuth app client ID (required for OAuth flow)
-- `--oauth-client-secret` / `GITHUB_OAUTH_CLIENT_SECRET` - Your client secret (optional, PKCE is used)
+- `--oauth-client-secret` / `GITHUB_OAUTH_CLIENT_SECRET` - Your GitHub OAuth app client secret (required)
 - `--oauth-scopes` / `GITHUB_OAUTH_SCOPES` - Comma-separated list of scopes (defaults: `repo,user,gist,notifications,read:org,project`)
 - `--oauth-callback-port` / `GITHUB_OAUTH_CALLBACK_PORT` - Fixed callback port for Docker (0 for random)
 
 Example with custom scopes:
 ```bash
-./github-mcp-server stdio --oauth-client-id YOUR_CLIENT_ID --oauth-scopes repo,user
+./github-mcp-server stdio \
+  --oauth-client-id YOUR_CLIENT_ID \
+  --oauth-client-secret YOUR_CLIENT_SECRET \
+  --oauth-scopes repo,user
 ```
 
 #### Pre-configured MCP Host Setup
@@ -271,8 +282,13 @@ OAuth can be pre-configured for MCP hosts (similar to PAT distribution). For Doc
 ```bash
 claude mcp add github \
   -e GITHUB_OAUTH_CLIENT_ID=your_client_id \
+  -e GITHUB_OAUTH_CLIENT_SECRET=your_client_secret \
   -e GITHUB_OAUTH_CALLBACK_PORT=8080 \
-  -- docker run -i --rm -p 8080:8080 -e GITHUB_OAUTH_CLIENT_ID -e GITHUB_OAUTH_CALLBACK_PORT ghcr.io/github/github-mcp-server
+  -- docker run -i --rm -p 8080:8080 \
+     -e GITHUB_OAUTH_CLIENT_ID \
+     -e GITHUB_OAUTH_CLIENT_SECRET \
+     -e GITHUB_OAUTH_CALLBACK_PORT \
+     ghcr.io/github/github-mcp-server
 ```
 
 **VS Code (settings.json):**
@@ -282,9 +298,14 @@ claude mcp add github \
     "servers": {
       "github": {
         "command": "docker",
-        "args": ["run", "-i", "--rm", "-p", "8080:8080", "-e", "GITHUB_OAUTH_CLIENT_ID", "-e", "GITHUB_OAUTH_CALLBACK_PORT", "ghcr.io/github/github-mcp-server"],
+        "args": ["run", "-i", "--rm", "-p", "8080:8080", 
+                 "-e", "GITHUB_OAUTH_CLIENT_ID", 
+                 "-e", "GITHUB_OAUTH_CLIENT_SECRET",
+                 "-e", "GITHUB_OAUTH_CALLBACK_PORT", 
+                 "ghcr.io/github/github-mcp-server"],
         "env": {
           "GITHUB_OAUTH_CLIENT_ID": "${input:github_oauth_client_id}",
+          "GITHUB_OAUTH_CLIENT_SECRET": "${input:github_oauth_client_secret}",
           "GITHUB_OAUTH_CALLBACK_PORT": "8080"
         }
       }

cmd/github-mcp-server/main.go

@@ -136,7 +136,7 @@ func init() {
 
 	// OAuth flags (stdio mode only)
 	rootCmd.PersistentFlags().String("oauth-client-id", "", "GitHub OAuth app client ID (enables interactive OAuth flow if token not set)")
-	rootCmd.PersistentFlags().String("oauth-client-secret", "", "GitHub OAuth app client secret (optional for public clients with PKCE)")
+	rootCmd.PersistentFlags().String("oauth-client-secret", "", "GitHub OAuth app client secret (recommended)")
 	rootCmd.PersistentFlags().StringSlice("oauth-scopes", nil, "OAuth scopes to request (comma-separated)")
 	rootCmd.PersistentFlags().Int("oauth-callback-port", 0, "Fixed port for OAuth callback (0 for random, required for Docker with -p flag)")
 

internal/oauth/oauth.go

@@ -26,7 +26,7 @@ const (
 // Config holds the OAuth configuration
 type Config struct {
 	ClientID      string
-	ClientSecret  string // Optional for public clients with PKCE
+	ClientSecret  string // Recommended for GitHub OAuth apps
 	RedirectURL   string
 	Scopes        []string
 	AuthURL       string