mcp-oauth
Verified Safeby giantswarm
Overview
Provider-agnostic OAuth 2.1 Authorization Server library for Model Context Protocol (MCP) servers, enabling URL-based client identifiers with dynamic metadata discovery (CIMD).
Installation
go run main.goEnvironment Variables
- GOOGLE_CLIENT_ID
- GOOGLE_CLIENT_SECRET
- OTLP_ENDPOINT
- REGISTRATION_ACCESS_TOKEN
- ENCRYPTION_KEY
Security Notes
The library demonstrates a high degree of security consciousness, implementing PKCE enforcement (S256 only), refresh token rotation, token encryption at rest (AES-256-GCM), comprehensive redirect URI validation with SSRF protection, per-domain rate limiting for CIMD fetches, and audit logging. It applies secure-by-default configurations and explicitly warns about insecure practices (e.g., using environment variables for secrets in production, enabling insecure HTTP, allowing plain PKCE). Strict validation is performed on URLs, scopes, and various inputs to prevent common attack vectors like XSS, SSRF, and injection. JWKS endpoints are also protected against SSRF. Overall, the architecture and code show a strong focus on security best practices.
Similar Servers
example-remote-server
A reference server demonstrating all Model Context Protocol (MCP) features and OAuth 2.0 authentication patterns.
oauth-mcp-proxy
OAuth 2.1 authentication library for Go MCP servers, supporting both mark3labs and official SDKs for token validation and caching.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.
mcp-s-oauth
Universal OAuth middleware for MCP (Model Context Protocol) servers, enabling authentication with various OAuth providers.