nszceta
diff --git a/‎Dockerfile‎
Lines changed: 6 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/mcp_atlassian/confluence/config.py‎
Lines changed: 31 additions & 18 deletions b/‎src/mcp_atlassian/confluence/config.py‎
Lines changed: 31 additions & 18 deletions
diff --git a/‎src/mcp_atlassian/jira/config.py‎
Lines changed: 31 additions & 18 deletions b/‎src/mcp_atlassian/jira/config.py‎
Lines changed: 31 additions & 18 deletions
diff --git a/‎src/mcp_atlassian/servers/dependencies.py‎
Lines changed: 44 additions & 11 deletions b/‎src/mcp_atlassian/servers/dependencies.py‎
Lines changed: 44 additions & 11 deletions
diff --git a/‎src/mcp_atlassian/servers/main.py‎
Lines changed: 16 additions & 1 deletion b/‎src/mcp_atlassian/servers/main.py‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎src/mcp_atlassian/utils/environment.py‎
Lines changed: 10 additions & 2 deletions b/‎src/mcp_atlassian/utils/environment.py‎
Lines changed: 10 additions & 2 deletions
@@ -46,4 +46,10 @@ COPY --from=uv --chown=app:app /app/.venv /app/.venv
 # Place executables in the environment at the front of the path
 ENV PATH="/app/.venv/bin:$PATH"
 
+# For minimal OAuth setup without environment variables, use:
+# docker run -e ATLASSIAN_OAUTH_ENABLE=true -p 8000:8000 your-image
+# Then provide authentication via headers:
+# Authorization: Bearer <your_oauth_token>
+# X-Atlassian-Cloud-Id: <your_cloud_id>
+
 ENTRYPOINT ["mcp-atlassian"]
@@ -66,7 +66,7 @@ def from_env(cls) -> "ConfluenceConfig":
             ValueError: If any required environment variable is missing
         """
         url = os.getenv("CONFLUENCE_URL")
-        if not url:
+        if not url and not os.getenv("ATLASSIAN_OAUTH_ENABLE"):
             error_msg = "Missing required CONFLUENCE_URL environment variable"
             raise ValueError(error_msg)
 
@@ -82,14 +82,14 @@ def from_env(cls) -> "ConfluenceConfig":
         # Use the shared utility function directly
         is_cloud = is_atlassian_cloud_url(url)
 
-        if oauth_config and oauth_config.cloud_id:
-            # OAuth takes precedence if fully configured
+        if oauth_config:
+            # OAuth is available - could be full config or minimal config for user-provided tokens
             auth_type = "oauth"
         elif is_cloud:
             if username and api_token:
                 auth_type = "basic"
             else:
-                error_msg = "Cloud authentication requires CONFLUENCE_USERNAME and CONFLUENCE_API_TOKEN, or OAuth configuration"
+                error_msg = "Cloud authentication requires CONFLUENCE_USERNAME and CONFLUENCE_API_TOKEN, or OAuth configuration (set ATLASSIAN_OAUTH_ENABLE=true for user-provided tokens)"
                 raise ValueError(error_msg)
         else:  # Server/Data Center
             if personal_token:
@@ -136,24 +136,37 @@ def is_auth_configured(self) -> bool:
         """
         logger = logging.getLogger("mcp-atlassian.confluence.config")
         if self.auth_type == "oauth":
-            return bool(
-                self.oauth_config
-                and (
-                    (
-                        isinstance(self.oauth_config, OAuthConfig)
-                        and self.oauth_config.client_id
+            # Handle different OAuth configuration types
+            if self.oauth_config:
+                # Full OAuth configuration (traditional mode)
+                if isinstance(self.oauth_config, OAuthConfig):
+                    if (
+                        self.oauth_config.client_id
                         and self.oauth_config.client_secret
                         and self.oauth_config.redirect_uri
                         and self.oauth_config.scope
                         and self.oauth_config.cloud_id
-                    )
-                    or (
-                        isinstance(self.oauth_config, BYOAccessTokenOAuthConfig)
-                        and self.oauth_config.cloud_id
-                        and self.oauth_config.access_token
-                    )
-                )
-            )
+                    ):
+                        return True
+                    # Minimal OAuth configuration (user-provided tokens mode)
+                    # This is valid if we have oauth_config but missing client credentials
+                    # In this case, we expect authentication to come from user-provided headers
+                    elif (
+                        not self.oauth_config.client_id
+                        and not self.oauth_config.client_secret
+                    ):
+                        logger.debug(
+                            "Minimal OAuth config detected - expecting user-provided tokens via headers"
+                        )
+                        return True
+                # Bring Your Own Access Token mode
+                elif isinstance(self.oauth_config, BYOAccessTokenOAuthConfig):
+                    if self.oauth_config.cloud_id and self.oauth_config.access_token:
+                        return True
+
+            # Partial configuration is invalid
+            logger.warning("Incomplete OAuth configuration detected")
+            return False
         elif self.auth_type == "token":
             return bool(self.personal_token)
         elif self.auth_type == "basic":
 
@@ -66,7 +66,7 @@ def from_env(cls) -> "JiraConfig":
             ValueError: If required environment variables are missing or invalid
         """
         url = os.getenv("JIRA_URL")
-        if not url:
+        if not url and not os.getenv("ATLASSIAN_OAUTH_ENABLE"):
             error_msg = "Missing required JIRA_URL environment variable"
             raise ValueError(error_msg)
 
@@ -82,14 +82,14 @@ def from_env(cls) -> "JiraConfig":
         # Use the shared utility function directly
         is_cloud = is_atlassian_cloud_url(url)
 
-        if oauth_config and oauth_config.cloud_id:
-            # OAuth takes precedence if fully configured
+        if oauth_config:
+            # OAuth is available - could be full config or minimal config for user-provided tokens
             auth_type = "oauth"
         elif is_cloud:
             if username and api_token:
                 auth_type = "basic"
             else:
-                error_msg = "Cloud authentication requires JIRA_USERNAME and JIRA_API_TOKEN, or OAuth configuration"
+                error_msg = "Cloud authentication requires JIRA_USERNAME and JIRA_API_TOKEN, or OAuth configuration (set ATLASSIAN_OAUTH_ENABLE=true for user-provided tokens)"
                 raise ValueError(error_msg)
         else:  # Server/Data Center
             if personal_token:
@@ -136,24 +136,37 @@ def is_auth_configured(self) -> bool:
         """
         logger = logging.getLogger("mcp-atlassian.jira.config")
         if self.auth_type == "oauth":
-            return bool(
-                self.oauth_config
-                and (
-                    (
-                        isinstance(self.oauth_config, OAuthConfig)
-                        and self.oauth_config.client_id
+            # Handle different OAuth configuration types
+            if self.oauth_config:
+                # Full OAuth configuration (traditional mode)
+                if isinstance(self.oauth_config, OAuthConfig):
+                    if (
+                        self.oauth_config.client_id
                         and self.oauth_config.client_secret
                         and self.oauth_config.redirect_uri
                         and self.oauth_config.scope
                         and self.oauth_config.cloud_id
-                    )
-                    or (
-                        isinstance(self.oauth_config, BYOAccessTokenOAuthConfig)
-                        and self.oauth_config.cloud_id
-                        and self.oauth_config.access_token
-                    )
-                )
-            )
+                    ):
+                        return True
+                    # Minimal OAuth configuration (user-provided tokens mode)
+                    # This is valid if we have oauth_config but missing client credentials
+                    # In this case, we expect authentication to come from user-provided headers
+                    elif (
+                        not self.oauth_config.client_id
+                        and not self.oauth_config.client_secret
+                    ):
+                        logger.debug(
+                            "Minimal OAuth config detected - expecting user-provided tokens via headers"
+                        )
+                        return True
+                # Bring Your Own Access Token mode
+                elif isinstance(self.oauth_config, BYOAccessTokenOAuthConfig):
+                    if self.oauth_config.cloud_id and self.oauth_config.access_token:
+                        return True
+
+            # Partial configuration is invalid
+            logger.warning("Incomplete OAuth configuration detected")
+            return False
         elif self.auth_type == "pat":
             return bool(self.personal_token)
         elif self.auth_type == "basic":
 
@@ -31,13 +31,15 @@ def _create_user_config_for_fetcher(
     base_config: JiraConfig | ConfluenceConfig,
     auth_type: str,
     credentials: dict[str, Any],
+    cloud_id: str | None = None,
 ) -> JiraConfig | ConfluenceConfig:
     """Create a user-specific configuration for Jira or Confluence fetchers.
 
     Args:
         base_config: The base JiraConfig or ConfluenceConfig to clone and modify.
         auth_type: The authentication type ('oauth' or 'pat').
         credentials: Dictionary of credentials (token, email, etc).
+        cloud_id: Optional cloud ID to override the base config cloud ID.
 
     Returns:
         JiraConfig or ConfluenceConfig with user-specific credentials.
@@ -54,7 +56,7 @@ def _create_user_config_for_fetcher(
     username_for_config: str | None = credentials.get("user_email_context")
 
     logger.debug(
-        f"Creating user config for fetcher. Auth type: {auth_type}, Credentials keys: {credentials.keys()}"
+        f"Creating user config for fetcher. Auth type: {auth_type}, Credentials keys: {credentials.keys()}, Cloud ID: {cloud_id}"
     )
 
     common_args: dict[str, Any] = {
@@ -77,22 +79,35 @@ def _create_user_config_for_fetcher(
             not base_config
             or not hasattr(base_config, "oauth_config")
             or not getattr(base_config, "oauth_config", None)
-            or not getattr(getattr(base_config, "oauth_config", None), "cloud_id", None)
         ):
             raise ValueError(
-                f"Global OAuth config (with cloud_id) for {type(base_config).__name__} is missing, "
-                "but user auth_type is 'oauth'. Cannot determine cloud_id."
+                f"Global OAuth config for {type(base_config).__name__} is missing, "
+                "but user auth_type is 'oauth'."
             )
         global_oauth_cfg = base_config.oauth_config
+
+        # Use provided cloud_id or fall back to global config cloud_id
+        effective_cloud_id = cloud_id if cloud_id else global_oauth_cfg.cloud_id
+        if not effective_cloud_id:
+            raise ValueError(
+                "Cloud ID is required for OAuth authentication. "
+                "Provide it via X-Atlassian-Cloud-Id header or configure it globally."
+            )
+
+        # For minimal OAuth config (user-provided tokens), use empty strings for client credentials
         oauth_config_for_user = OAuthConfig(
-            client_id=global_oauth_cfg.client_id if global_oauth_cfg else "",
-            client_secret=global_oauth_cfg.client_secret if global_oauth_cfg else "",
-            redirect_uri=global_oauth_cfg.redirect_uri if global_oauth_cfg else "",
-            scope=global_oauth_cfg.scope if global_oauth_cfg else "",
+            client_id=global_oauth_cfg.client_id if global_oauth_cfg.client_id else "",
+            client_secret=global_oauth_cfg.client_secret
+            if global_oauth_cfg.client_secret
+            else "",
+            redirect_uri=global_oauth_cfg.redirect_uri
+            if global_oauth_cfg.redirect_uri
+            else "",
+            scope=global_oauth_cfg.scope if global_oauth_cfg.scope else "",
             access_token=user_access_token,
             refresh_token=None,
             expires_at=None,
-            cloud_id=global_oauth_cfg.cloud_id if global_oauth_cfg else "",
+            cloud_id=effective_cloud_id,
         )
         common_args.update(
             {
@@ -106,6 +121,14 @@ def _create_user_config_for_fetcher(
         user_pat = credentials.get("personal_access_token")
         if not user_pat:
             raise ValueError("PAT missing in credentials for user auth_type 'pat'")
+
+        # Log warning if cloud_id is provided with PAT auth (not typically needed)
+        if cloud_id:
+            logger.warning(
+                f"Cloud ID '{cloud_id}' provided with PAT authentication. "
+                "PAT authentication typically uses the base URL directly and doesn't require cloud_id override."
+            )
+
         common_args.update(
             {
                 "personal_token": user_pat,
@@ -166,6 +189,8 @@ async def get_jira_fetcher(ctx: Context) -> JiraFetcher:
             user_email = getattr(
                 request.state, "user_atlassian_email", None
             )  # May be None for PAT
+            user_cloud_id = getattr(request.state, "user_atlassian_cloud_id", None)
+
             if not user_token:
                 raise ValueError("User Atlassian token found in state but is empty.")
             credentials = {"user_email_context": user_email}
@@ -183,13 +208,16 @@ async def get_jira_fetcher(ctx: Context) -> JiraFetcher:
                 raise ValueError(
                     "Jira global configuration (URL, SSL) is not available from lifespan context."
                 )
+
+            cloud_id_info = f" with cloudId {user_cloud_id}" if user_cloud_id else ""
             logger.info(
-                f"Creating user-specific JiraFetcher (type: {user_auth_type}) for user {user_email or 'unknown'} (token ...{str(user_token)[-8:]})"
+                f"Creating user-specific JiraFetcher (type: {user_auth_type}) for user {user_email or 'unknown'} (token ...{str(user_token)[-8:]}){cloud_id_info}"
             )
             user_specific_config = _create_user_config_for_fetcher(
                 base_config=app_lifespan_ctx.full_jira_config,
                 auth_type=user_auth_type,
                 credentials=credentials,
+                cloud_id=user_cloud_id,
             )
             try:
                 user_jira_fetcher = JiraFetcher(config=user_specific_config)
@@ -268,6 +296,8 @@ async def get_confluence_fetcher(ctx: Context) -> ConfluenceFetcher:
         ):
             user_token = getattr(request.state, "user_atlassian_token", None)
             user_email = getattr(request.state, "user_atlassian_email", None)
+            user_cloud_id = getattr(request.state, "user_atlassian_cloud_id", None)
+
             if not user_token:
                 raise ValueError("User Atlassian token found in state but is empty.")
             credentials = {"user_email_context": user_email}
@@ -285,13 +315,16 @@ async def get_confluence_fetcher(ctx: Context) -> ConfluenceFetcher:
                 raise ValueError(
                     "Confluence global configuration (URL, SSL) is not available from lifespan context."
                 )
+
+            cloud_id_info = f" with cloudId {user_cloud_id}" if user_cloud_id else ""
             logger.info(
-                f"Creating user-specific ConfluenceFetcher (type: {user_auth_type}) for user {user_email or 'unknown'} (token ...{str(user_token)[-8:]})"
+                f"Creating user-specific ConfluenceFetcher (type: {user_auth_type}) for user {user_email or 'unknown'} (token ...{str(user_token)[-8:]}){cloud_id_info}"
             )
             user_specific_config = _create_user_config_for_fetcher(
                 base_config=app_lifespan_ctx.full_confluence_config,
                 auth_type=user_auth_type,
                 credentials=credentials,
+                cloud_id=user_cloud_id,
             )
             try:
                 user_confluence_fetcher = ConfluenceFetcher(config=user_specific_config)
 
@@ -239,14 +239,29 @@ async def dispatch(
         )
         if request_path == mcp_path and request.method == "POST":
             auth_header = request.headers.get("Authorization")
+            cloud_id_header = request.headers.get("X-Atlassian-Cloud-Id")
+
             token_for_log = mask_sensitive(
                 auth_header.split(" ", 1)[1].strip()
                 if auth_header and " " in auth_header
                 else auth_header
             )
             logger.debug(
-                f"UserTokenMiddleware: Path='{request.url.path}', AuthHeader='{mask_sensitive(auth_header)}', ParsedToken(masked)='{token_for_log}'"
+                f"UserTokenMiddleware: Path='{request.url.path}', AuthHeader='{mask_sensitive(auth_header)}', ParsedToken(masked)='{token_for_log}', CloudId='{cloud_id_header}'"
             )
+
+            # Extract and save cloudId if provided
+            if cloud_id_header and cloud_id_header.strip():
+                request.state.user_atlassian_cloud_id = cloud_id_header.strip()
+                logger.debug(
+                    f"UserTokenMiddleware: Extracted cloudId from header: {cloud_id_header.strip()}"
+                )
+            else:
+                request.state.user_atlassian_cloud_id = None
+                logger.debug(
+                    "UserTokenMiddleware: No cloudId header provided, will use global config"
+                )
+
             # Check for mcp-session-id header for debugging
             mcp_session_id = request.headers.get("mcp-session-id")
             if mcp_session_id:
 
@@ -59,7 +59,11 @@ def get_available_services() -> dict[str, bool | None]:
                 logger.info(
                     "Using Confluence Server/Data Center authentication (PAT or Basic Auth)"
                 )
-    # If confluence_url is not set, confluence_is_setup remains False
+    elif os.getenv("ATLASSIAN_OAUTH_ENABLE", "").lower() in ("true", "1", "yes"):
+        confluence_is_setup = True
+        logger.info(
+            "Using Confluence minimal OAuth configuration - expecting user-provided tokens via headers"
+        )
 
     jira_url = os.getenv("JIRA_URL")
     jira_is_setup = False
@@ -108,7 +112,11 @@ def get_available_services() -> dict[str, bool | None]:
                 logger.info(
                     "Using Jira Server/Data Center authentication (PAT or Basic Auth)"
                 )
-    # If jira_url is not set, jira_is_setup remains False
+    elif os.getenv("ATLASSIAN_OAUTH_ENABLE", "").lower() in ("true", "1", "yes"):
+        jira_is_setup = True
+        logger.info(
+            "Using Jira minimal OAuth configuration - expecting user-provided tokens via headers"
+        )
 
     if not confluence_is_setup:
         logger.info(