web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / "The connection consen...
Copilot Studio
Unanswered

"The connection consent pop-up window has been closed unexpectedly" during MCP OAuth flow

(0) ShareShare
ReportReport
Posted on by ST-19051246-0 Microsoft Employee
Hi all,
 
I'm testing a remotely hosted MCP server in the Copilot Studio. The server is configured to support OAuth through WorkOS with a custom login page which is hosted on our web app. When creating a new connection to the server, the OAuth flow is triggered and i'm redirected the custom login page correctly. However, even before I login, the Copilot Studio already reports that the "The connection consent pop-up window has been closed unexpectedly". 

On any traffic to our web app we set "Cross-Origin-Opener-Policy": "same-origin-allow-popups" and this seems to break the tracking of the OAuth flow by the Copilot Studio. I've tested the service on a test environment without this header, and then the flow succeeds. However, we don't want to relax our web app security settings. 

Am I correct in assuming that the Copilot Studio MCP OAuth flow requires the window.opener to persist over the redirects? Are there any other workaround to make this flow work without relaxing the security settings. Curious for any pointers here. 
Screenshot 2026-0...

Your file is currently under scan for potential threats. Please wait while we review it for any viruses or malicious content.

Categories:
Model context protocol
I have the same question (0)
  • Prasad-MSFT Profile Picture
    Prasad-MSFT Microsoft Employee on at
    Why this happens:
    The OAuth consent flow opens a popup and expects to communicate back to the parent window using window.opener.
    With Cross-Origin-Opener-Policy: same-origin-allow-popups, the popup is isolated from the parent, so the parent cannot detect the OAuth completion.
    Workarounds:
    • There is currently no supported workaround that preserves full COOP isolation and allows the OAuth flow to work, because the browser security model intentionally blocks this communication.
    • The only way to make the flow work is to remove or relax the Cross-Origin-Opener-Policy header for the OAuth endpoints involved in the authentication flow (at least for the login and redirect URIs).

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Agent Academy Hackathon is happening now!
Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Vish WR Profile Picture

Vish WR 238

#1
Valantis Profile Picture

Valantis 238

#3
Romain The Low-Code Bearded Bear Profile Picture

Romain The Low-Code... 212 Super User 2026 Season 1

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt

Product updates

Microsoft Power Platform Community release plans