mcp-auth
by auth-agent
Overview
Provides an OAuth 2.1 authorization server for Model Context Protocol (MCP) servers, enabling secure authentication for AI agents interacting with third-party APIs like Adobe Premiere Pro.
Installation
cd workers && npm run devEnvironment Variables
- JWT_SECRET
- SUPABASE_URL
- SUPABASE_SERVICE_KEY
Security Notes
The example `mcp-adobe-premiere-pro` server's UXP plugin (`uxp-plugin/bridge.js`) uses `eval(script)` and `app.executeExtendScript(script)` to execute arbitrary ExtendScript code received from command files. These commands are generated by the `PremiereProTools` class based on tool calls from AI agents. This design presents a critical remote code execution vulnerability if an attacker can inject malicious script fragments into tool arguments, bypassing `zod` validation or exploiting vulnerabilities in script string construction. The core `mcp-auth` OAuth server itself demonstrates good security practices (PBKDF2 hashing, JWT signing, PKCE, secure secret management, HTTPS). However, the presence of `eval` in the provided example, meant to be used with this authorization server, significantly lowers the overall safety score.
Similar Servers
example-remote-server
A reference server demonstrating all Model Context Protocol (MCP) features and OAuth 2.0 authentication patterns.
oauth-mcp-proxy
OAuth 2.1 authentication library for Go MCP servers, supporting both mark3labs and official SDKs for token validation and caching.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.
mcp-typescript-starter
A feature-complete Model Context Protocol (MCP) server template in TypeScript demonstrating all major MCP features for AI assistant interaction.