ghcp CLI should use a fixed Entra app ID to authenticate to Entra-protected remote MCP servers #1622
Description
Describe the feature or problem you'd like to solve
The ghcp CLI does not currently use a fixed, well-known Microsoft Entra (Azure AD) app ID. As a result, when users connect to Entra-protected remote MCP servers, authentication cannot be streamlined or preauthorized. Assigning a fixed first-party Entra app ID to ghcp would allow all Entra-protected MCP servers to recognize and trust the CLI as a known first-party client — the same approach already used by GitHub Copilot in VS Code.
Proposed solution
Assign a fixed first-party Microsoft Entra app ID to the ghcp CLI, consistent with the approach taken by GitHub Copilot in VS Code. This app ID should be used as the client identity when authenticating to all Entra-protected remote MCP servers. Specifically:
- The
ghcpCLI should acquire Entra tokens using this fixed 1P app ID when connecting to any MCP server that requires Entra authentication. - Entra-protected MCP servers can then preauthorize this app ID, allowing seamless authentication for
ghcpusers. - The app ID should remain stable across CLI releases to avoid breaking preauthorizations.
Expected Behavior
When a ghcp user connects to any Entra-protected remote MCP server, the CLI authenticates using its fixed 1P Entra app ID. Servers that have preauthorized this app ID allow the connection without prompting the user for additional consent or credentials.
Current Behavior
No fixed Entra app ID is associated with ghcp. Each Entra-protected MCP server connection requires a separate authentication flow, and preauthorization by server operators is not reliably possible.
Example prompts or workflows
A customer who wants to block ghcp cli from talking to msgraph when outside of the country - they can’t unless ghcp has a fixed entra app id.
Ghcp cli should be able to connect to workiq remote apis without needing a local proxy. We can’t make that happen without a fixed 1p app id.
Additional context
- GitHub Copilot in VS Code already uses this same approach with a fixed 1P Entra app ID, enabling Entra-protected MCP servers to preauthorize it. The
ghcpCLI should adopt the same model. - The fixed 1P app ID should be documented for teams building Entra-protected MCP servers so they know what to preauthorize.