Skip to content

Unexpected behaviour of SITE_NAME with OAUTH_LOCK_SITE prevents connection to Tableau MCP #225

New issue
New issue
Open
Open
Unexpected behaviour of SITE_NAME with OAUTH_LOCK_SITE prevents connection to Tableau MCP#225
@RRDTIL

Description

@RRDTIL
RRDTIL
opened on Feb 20, 2026

Describe the bug

When OAUTH_LOCK_SITE=true and SITE_NAME=<your site>, you will not be able to connect to Tableau Server via the OAuth page if SITE_NAME doesn't respect some undocumented rules.

The MCP Client is a custom python webapp.
The MCP Client and Tableau MCP are deployed on separate AWS EC2 each behind its Caddy reverse proxy.

Expected behavior

I was supposed to be able to connect to my Tableau Serveur OAuth page.

Versions

Tableau Server Version : 2025.3.0 (20253.25.1117.1115) 64-bit Windows
Tableau MCP Version : 1.15.2 Commit 06fe8df + small modifications :

  • Added private key to Dockerfile
  • Added console.log in callback.ts
  • Added string "2025-11-25" in src/server/middleware:supportedVersions

Steps to reproduce

The bug

Have a tableau site with ContentURL != DisplayName and containing spaces and brackets such as :
ContentURL : "Internal"
DisplayName : "[INTERNAL] My Company"

Note : I'll use <VariableName> as placeholders in the following code blocks.

Have env vars such as :

AUTH=oauth
TRANSPORT=http
OAUTH_ISSUER=<tmcpServerHostname>
SERVER=<tableauServerHostname>
OAUTH_JWE_PRIVATE_KEY_PATH=<keyPath>
CORS_ORIGIN_CONFIG=true
TRUST_PROXY_CONFIG=true
ENABLE_SERVER_LOGGING=true

OAUTH_LOCK_SITE=true

When I set SITE_NAME=<ContentURL> and I am already connected to my server in the browser I get this error message :

{
  "error": "invalid_request",
  "error_description": "User signed in to site: <DisplayName>. Expected site: <ContentURL>. Please reconnect your client and choose the [<ContentURL>] site in the site picker if prompted."
}

When I set SITE_NAME=<DisplayName> and reconnect to my Tableau server before accessing the app, I get this error message :

{
  "error": "invalid_request",
  "error_description": "Invalid request. Did you sign in to the wrong site? From your browser, please sign out of your site and reconnect your agent to Tableau MCP."
}

When I disconnect from the Tableau server and try to connect to Tableau OAuth page without having an active session in my browser cache by just accessing my mcp client, I enter my username and password, click on connect and I have Tableau's error message displayed in red under my password.

Further exploration and potential solution

Create a new site with ContentURL = DisplayName such as "testsmcp"
Set SITE_NAME=testsmcp
Try to connect, it should be working

It seems to me that when TRANSPORT=oauth and OAUTH_LOCK_SITE=true, SITE_NAME now wants to be set to the display name of the tableau site and not its contentUrl. It also seems that the characters "[", "]" and " " may cause problems when Tableau MCP processes the site name.

Logs

Sadly, there's no logs

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions