remote-mcp-pingone

Name: remote-mcp-pingone
Author: EPortman-Ping

Verified Safe

by EPortman-Ping

View Source

Overview

Provides an OIDC-secured Model Context Protocol (MCP) server on Cloudflare Workers, allowing AI agents to securely call protected APIs on behalf of authenticated end-users, leveraging PingOne DaVinci for authentication and consent.

Installation

Run Command

npm run dev

Environment Variables

PINGONE_ISSUER
PINGONE_DV_POLICY_ID
MCP_SERVER_CLIENT_ID
MCP_SERVER_CLIENT_SECRET
API_IDENTIFIER
API_URL
COOKIE_ENCRYPTION_KEY

Security Notes

The server implements strong security practices for OAuth 2.1 and OIDC flows, including PKCE, Nonce, and robust CSRF protection with one-time use tokens and state binding to session via hashed cookies. Input sanitization for HTML rendering is present to prevent XSS. JWT validation for the downstream API checks signature, issuer, audience, and expiry using JWKS. Sensitive credentials are externalized to environment variables. The architecture leverages Cloudflare's secure serverless platform (Workers, Durable Objects, KV). While marked as a 'demo template' by its authors, the provided source code demonstrates adherence to security best practices for an OAuth/OIDC proxy. A minor deduction is made due to the inherent complexity of OAuth server implementations and the disclaimer that it's a demo, implying further production hardening might be needed depending on the specific threat model.

Similar Servers

mold-inventory

An MCP server that provides an LLM with authenticated access to a mold inventory management API, allowing it to retrieve mold data on behalf of a user.

Other

$Low

remote-mcp-server-authless1

A remote Model Context Protocol (MCP) server that exposes unauthenticated calculator tools via Cloudflare Workers for AI agents.

Other

$Low