remote-mcp-ping-federate
Verified Safeby EPortman-Ping
Overview
A Cloudflare Workers MCP server secured with PingFederate, enabling AI agents to call protected downstream APIs on behalf of an authenticated end user via OAuth 2.0 token exchange.
Installation
npm run deployEnvironment Variables
- PING_FEDERATE_ISSUER
- MCP_SERVER_IDENTIFIER
- MCP_SERVER_CLIENT_ID
- MCP_SERVER_CLIENT_SECRET
- API_URL
Security Notes
The server implements robust OAuth 2.0 and OIDC practices, including JWT validation using the `jose` library (fetching JWKS from the issuer), and secure token exchange. All sensitive configurations are managed through environment variables, preventing hardcoding. A least-privilege approach is used by filtering scopes during token exchange. Cloudflare Durable Objects provide secure and isolated session state. While debugging tools exposing tokens exist in this demo, they would require strict access controls or removal in a production environment.
Similar Servers
mcpflare
Enhances security and efficiency of Model Context Protocol (MCP) servers for AI agents by providing zero-trust isolation and significantly reducing context window token usage.
remote-mcp-pingone-aic
Cloudflare Workers MCP server enabling AI agents (MCP clients) to call a protected API on behalf of an authenticated end user via PingOne Advanced Identity Cloud (AIC).
remote-mcp-pingone
Provides an OIDC-secured Model Context Protocol (MCP) server on Cloudflare Workers, allowing AI agents to securely call protected APIs on behalf of authenticated end-users, leveraging PingOne DaVinci for authentication and consent.
test-remote-mcp-server
Deploys a remote Model Context Protocol (MCP) server on Cloudflare Workers to expose custom tools to AI agents without authentication.