oauth: fix redirect_uri in CE mode for local callback

[Pnkcaht]

What I did

Updated the MCP Gateway authentication and OAuth handling to correctly support local Community Edition (CE) usage without forcing OAuth redirects.

The gateway now behaves correctly when running locally in HTTP mode, ensuring that authentication and request handling work as expected without requiring Docker Desktop–specific OAuth flows.
This allows the MCP Gateway to be tested and used locally in CE environments without unexpected redirects or blocked requests.

Related issue

Fixed #347

What was the problem?

When running the MCP Gateway locally (Community Edition, HTTP transport), the gateway behavior was inconsistent with expected CE usage.

Specifically:

• The gateway was tightly coupled to OAuth / Desktop assumptions

• Local HTTP runs could trigger incorrect OAuth-related behavior

• This made it difficult or impossible to:

  • Test the gateway locally
  • Use it in headless or CE-only environments
  • Validate fixes without Docker Desktop

As a result:

• Local testing workflows were blocked
• CE users could not reliably run the gateway
• Debugging OAuth-related issues became unnecessarily complex

How this change fixes it

The gateway logic was updated to ensure safe and correct behavior in local HTTP mode, without forcing OAuth redirects or Desktop-only assumptions.

Specifically:

• Authentication handling now behaves correctly in CE local runs
• OAuth providers initialize safely without interfering with local execution
• HTTP transport can be used locally with an explicit port
• The gateway correctly enforces MCP session rules without breaking startup or routing

This preserves security guarantees while restoring a clean local developer experience.

Before / After (Summary)

Before

• Local HTTP runs could trigger OAuth-related issues
• CE usage was unreliable
• Local testing required workarounds or Docker Desktop

After

• MCP Gateway runs cleanly in local CE environments
• OAuth does not interfere with local HTTP usage
• Developers can test and debug the gateway locally with confidence

Screenshot (Test)

Local MCP Gateway running in CE (HTTP transport)

This screenshot shows the MCP Gateway successfully built and executed locally in Community Edition using the HTTP transport.

Steps demonstrated:

• The gateway binary is built locally using go build
• Debug logging and OAuth debug mode are enabled via environment variables
• An initial attempt to run with the default stdio transport correctly fails when --port is provided
• The gateway is then started explicitly with --transport=http and a custom port (9090)
• Configuration files (registry.yaml, docker-mcp.yaml, config.yaml, tools.yaml) are loaded successfully
• Internal MCP tools are registered
• OAuth provider loops initialize without blocking local execution
• The streaming HTTP server starts successfully
• The gateway prints the local MCP endpoint and generated Bearer token

This confirms that:

• The gateway can be run and tested locally without Docker Desktop
• HTTP transport works correctly with an explicit port
• Authentication is initialized safely without breaking CE workflows

Normalize tool arguments for evaluation

MCP tool arguments can arrive either as already-decoded map[string]any or as raw JSON ([]byte / json.RawMessage), depending on the transport.
This block normalizes all cases into a single map[string]any, decoding JSON when needed and failing safely when input is missing or malformed, preventing arguments from being silently dropped or causing runtime panics.

Select OAuth redirect URI based on runtime mode

This logic switches the OAuth redirect URI when running in CE mode, ensuring the callback is handled by the local mcp-gateway instead of Docker SaaS.
A custom redirect can be provided via DOCKER_MCP_OAUTH_REDIRECT_URI, otherwise a safe local default is used.

Forward tool arguments without coercion

This handler forwards MCP tool arguments as raw JSON without unmarshalling, keeping the gateway schema-agnostic and preserving full input fidelity for tools that expect structured or typed data.

Preserve raw tool arguments

Converts CallToolParamsRaw to CallToolParams while forwarding arguments as raw JSON, avoiding schema interpretation by the gateway and ensuring full fidelity for typed and schema-driven tools, as expected by the MCP Go SDK.