Microsoft365-mcp-server

The project explicitly prioritizes security with OAuth 2.1 (PKCE support), multi-tenant session management, and automatic token refresh. The `auth_session_analysis.md` details comprehensive security hardening, including removing trust from unverified JWTs, enforcing session-to-user binding, mandatory session expiration, and not persisting `client_secret`. It uses the `msal` library for robust OAuth flows. `MCP_PERSIST_CREDENTIALS` is off by default, and if enabled, credentials are saved with restricted file permissions (`0o600`). `OAUTHLIB_INSECURE_TRANSPORT` (or `OAUTH2_ALLOW_INSECURE_TRANSPORT` in Docker) is configurable, defaulting to `false`, which is good for production but can be enabled for local HTTP development. The security model, documentation, and explicit mitigation of common OAuth risks indicate a strong security posture. Minor risk from `OAUTHLIB_INSECURE_TRANSPORT` if misconfigured in production.