remote-mcp-pingone-aic
Verified Safeby EPortman-Ping
Overview
Cloudflare Workers MCP server enabling AI agents (MCP clients) to call a protected API on behalf of an authenticated end user via PingOne Advanced Identity Cloud (AIC).
Installation
npm install && npm run devEnvironment Variables
- PING_AIC_ISSUER
- MCP_SERVER_URL
- MCP_SERVER_CLIENT_ID
- MCP_SERVER_CLIENT_SECRET
- API_URL
Security Notes
The server leverages standard OAuth 2.0 Token Exchange and JWT validation for robust authentication and authorization. Secrets are loaded from environment variables, preventing hardcoding. Scopes are filtered to enforce least privilege during token exchange for downstream API calls. Error handling for authentication failures provides generic 'Unauthorized' or 'Forbidden' messages without leaking sensitive information. The architecture inherently benefits from Cloudflare's serverless security features and Durable Objects for isolated session state. Detailed PingOne AIC configuration steps are provided to ensure secure delegation and client onboarding, although incorrect configuration could introduce vulnerabilities.
Similar Servers
mold-inventory
An MCP server that provides an LLM with authenticated access to a mold inventory management API, allowing it to retrieve mold data on behalf of a user.
mcpflare
Enhances security and efficiency of Model Context Protocol (MCP) servers for AI agents by providing zero-trust isolation and significantly reducing context window token usage.
remote-mcp-ping-federate
A Cloudflare Workers MCP server secured with PingFederate, enabling AI agents to call protected downstream APIs on behalf of an authenticated end user via OAuth 2.0 token exchange.
remote-mcp-pingone
Provides an OIDC-secured Model Context Protocol (MCP) server on Cloudflare Workers, allowing AI agents to securely call protected APIs on behalf of authenticated end-users, leveraging PingOne DaVinci for authentication and consent.