Summary
Antigravity's MCP OAuth flow displays "Paste the authorization code below:" after the user signs in at the authorization server. The input field silently caps at 1025 characters — additional pasted/typed input is dropped. This makes it impossible to authenticate against any OAuth server (notably Microsoft Entra ID / Azure AD) that issues authorization codes longer than 1025 chars, which Entra routinely does when offline_access is in the requested scopes (codes embed refresh-grant claims and reach ~1500–1600 chars).
Environment
- OS: Windows 11
- Antigravity CLI: v1.0.6
- Terminal: PowerShell, Git Bash, Windows Terminal — same behavior in all
- MCP server: any HTTP MCP server using Entra ID as the auth server with
offline_access advertised in scopes_supported
Reproduction
- Configure an HTTP MCP server in
~/.gemini/config/mcp_config.json whose RFC 9728 protected-resource metadata advertises an authorization server (Entra ID tenant) and includes offline_access in scopes_supported.
- Restart Antigravity.
/mcp → server → Authenticate.
- The CLI shows the authorize URL. Open it in a browser, complete sign-in.
- The browser redirects to
https://antigravity.google/oauth-callback, which displays the code (~1593 chars in our case) in a wrapped div for copy-paste.
- Copy the code (whitespace-stripped, single line). Paste into the CLI's
> authorization code... prompt.
- Observed: the CLI accepts the first 1025 characters and silently rejects the rest. Pressing Enter submits the truncated code. Entra returns
AADSTS9002313: Invalid request. Request is malformed or invalid. and Antigravity reports failed to exchange code for token: oauth2: "invalid_grant".
What I tried
- Pasting in chunks: total accepted input still caps at 1025 — it's the field's total CharLimit, not per-paste.
- SendKeys / programmatic typing into the focused window: typing stops at character 1025; further keystrokes (including direct keyboard) are silently dropped while the prompt is active.
- Different terminals (PowerShell, Windows Terminal, Git Bash): same cap. Confirms the limit is in the application TUI, not the terminal.
- Symbol references in the binary:
agy.exe contains references to charmbracelet/bubbletea textinput.Model and a CharLimit field, consistent with a hardcoded CharLimit on the OAuth code prompt.
- Workaround (server-side, not feasible for general use): dropping
offline_access from the advertised scopes brings Entra codes back under 1025 chars and lets the paste through — but then no refresh token is issued, so the user must re-auth every ~60–90 min when the access token expires.
Expected
The OAuth code prompt should either:
- Remove the
CharLimit entirely on the auth-code textinput (preferred — auth codes have no theoretical upper bound), or
- Raise it to at least 4096 to comfortably cover modern OIDC codes including refresh-grant claims, FOCI bundles, and similar metadata, or
- Replace the manual paste flow with a loopback callback when the user's environment supports binding localhost (matches what Claude Code, Codex, gcloud, and most modern MCP clients do; eliminates the paste entirely).
Why this matters
This blocks Antigravity from authenticating against Microsoft Entra ID — i.e., any enterprise OAuth deployment on Azure — when refresh tokens are desired. The same MCP server works fine with Claude Code and Codex because they use loopback redirects and never surface the code to the user.
Additional context
- The auth code we observed: 1593 chars (Entra v2, scopes
<resource>/<scope> + offline_access).
- The
antigravity.google/oauth-callback page also wraps the code visually with embedded whitespace, so even cleanly copying it requires a DevTools document.querySelector('.code-box').innerText.replace(/\s+/g,'') workaround — a separate UX issue worth a follow-up.
Summary
Antigravity's MCP OAuth flow displays "Paste the authorization code below:" after the user signs in at the authorization server. The input field silently caps at 1025 characters — additional pasted/typed input is dropped. This makes it impossible to authenticate against any OAuth server (notably Microsoft Entra ID / Azure AD) that issues authorization codes longer than 1025 chars, which Entra routinely does when
offline_accessis in the requested scopes (codes embed refresh-grant claims and reach ~1500–1600 chars).Environment
offline_accessadvertised inscopes_supportedReproduction
~/.gemini/config/mcp_config.jsonwhose RFC 9728 protected-resource metadata advertises an authorization server (Entra ID tenant) and includesoffline_accessinscopes_supported./mcp→ server →Authenticate.https://antigravity.google/oauth-callback, which displays the code (~1593 chars in our case) in a wrapped div for copy-paste.> authorization code...prompt.AADSTS9002313: Invalid request. Request is malformed or invalid.and Antigravity reportsfailed to exchange code for token: oauth2: "invalid_grant".What I tried
agy.execontains references tocharmbracelet/bubbleteatextinput.Modeland aCharLimitfield, consistent with a hardcoded CharLimit on the OAuth code prompt.offline_accessfrom the advertised scopes brings Entra codes back under 1025 chars and lets the paste through — but then no refresh token is issued, so the user must re-auth every ~60–90 min when the access token expires.Expected
The OAuth code prompt should either:
CharLimitentirely on the auth-code textinput (preferred — auth codes have no theoretical upper bound), orWhy this matters
This blocks Antigravity from authenticating against Microsoft Entra ID — i.e., any enterprise OAuth deployment on Azure — when refresh tokens are desired. The same MCP server works fine with Claude Code and Codex because they use loopback redirects and never surface the code to the user.
Additional context
<resource>/<scope>+offline_access).antigravity.google/oauth-callbackpage also wraps the code visually with embedded whitespace, so even cleanly copying it requires a DevToolsdocument.querySelector('.code-box').innerText.replace(/\s+/g,'')workaround — a separate UX issue worth a follow-up.