Add Tableau OAuth support

.github/workflows/test-deploy.yml

@@ -29,3 +29,10 @@ jobs:
         run: npm ci
       - name: Test build website
         run: npm run build
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifacts
+          if-no-files-found: error
+          path: |
+            docs/build/

docs/docs/configuration/mcp-config/authentication/README.md

@@ -9,3 +9,4 @@ There are a couple different ways to authenticate to Tableau.
 
 1. Provide your Tableau [Personal Access Token](pat.md) (PAT).
 2. Use Tableau [Connected Apps](direct-trust.md).
+3. Use Tableau OAuth.

docs/docs/configuration/mcp-config/authentication/_category_.json

@@ -1,4 +1,4 @@
 {
   "label": "Authentication",
-  "position": 4
+  "position": 2
 }

docs/docs/configuration/mcp-config/authentication/direct-trust.md

@@ -1,6 +1,5 @@
 ---
-sidebar_position: 3
-title: Direct Trust
+sidebar_position: 2
 ---
 
 # Direct Trust
@@ -22,6 +21,8 @@ it internally calls into VizQL Data Service, the JWT will only have the
 
 The username for the `sub` claim of the JWT.
 
+- Can either be a hard-coded username, or the OAuth username by setting it to `{OAUTH_USERNAME}`.
+
 <hr />
 
 ### `CONNECTED_APP_CLIENT_ID`
@@ -53,12 +54,13 @@ code where it could accidentally be revealed.
 
 ### `JWT_ADDITIONAL_PAYLOAD`
 
-A JSON string that includes any additional user attributes to include on the JWT.
+A JSON string that includes any additional user attributes to include on the JWT. It also supports
+dynamically including the OAuth username.
 
 Example:
 
 ```json
-{ "region": "West" }
+{ "username": "{OAUTH_USERNAME}", "region": "West" }
 ```
 
 [direct-trust]: https://help.tableau.com/current/online/en-us/connected_apps.htm#direct-trust

docs/docs/configuration/mcp-config/authentication/oauth.md

@@ -0,0 +1,22 @@
+---
+sidebar_position: 3
+---
+
+# OAuth
+
+:::warning
+
+Tableau Server 2025.3+ only. Tableau Cloud is not supported yet but is coming soon ETA Q2 2026.
+
+Otherwise, you can still test by running the MCP server locally.
+
+:::
+
+When `AUTH` is `oauth`, the MCP server will use a Tableau session initiated by the Tableau OAuth
+flow to authenticate to the Tableau REST APIs.
+
+:::info
+
+See [Enabling OAuth](../oauth.md) for details on how to configure the MCP server to use OAuth.
+
+:::

docs/docs/configuration/mcp-config/authentication/pat.md

@@ -1,5 +1,5 @@
 ---
-sidebar_position: 2
+sidebar_position: 1
 title: PAT
 ---
 

docs/docs/configuration/mcp-config/optional.md → docs/docs/configuration/mcp-config/env-vars.md

@@ -1,10 +1,29 @@
 ---
-sidebar_position: 2
+sidebar_position: 1
 ---
 
-# Optional Environment Variables
+# Environment Variables
 
-Values for the following environment variables are optional.
+Values for the following environment variables can be provided to configure the Tableau MCP server.
+
+## `SERVER`
+
+The URL of the Tableau server.
+
+- For Tableau Cloud, specify your site's specific pod e.g.
+  `https://prod-useast-c.online.tableau.com`
+- Required unless [`AUTH`](#auth) is `oauth`.
+
+<hr />
+
+## `SITE_NAME`
+
+The name of the Tableau site to use.
+
+- For Tableau Cloud, specify your site name.
+- For Tableau Server, you may leave this value blank to use the default site.
+
+<hr />
 
 ## `TRANSPORT`
 
@@ -19,10 +38,10 @@ The MCP transport type to use for the server.
 
 ## `AUTH`
 
-The Tableau authentication method to use by the server.
+The method the MCP server uses to authenticate to the Tableau REST APIs.
 
 - Default: `pat`
-- Possible values: `pat` or `direct-trust`
+- Possible values: `pat`, `direct-trust`, or `oauth`
 - See [Authentication](authentication) for additional required variables depending on the desired
   method.
 
@@ -43,6 +62,8 @@ APIs.
 - Each line in the log file is a JSON object with the following properties:
 
   - `timestamp`: The timestamp of the log message in UTC time.
+  - `username`: For tool calls, the username of the user who made the call. This is only present
+    when OAuth is enabled.
   - `level`: The logging level of the log message.
   - `logger`: The logger of the log message. This is typically `rest-api` for HTTP traces or
     `tableau-mcp` for tool calls.