mcp-oauth

The server exhibits strong security posture, including mandatory PKCE enforcement, refresh token rotation with reuse detection and immediate revocation of all associated tokens, comprehensive redirect URI validation to prevent SSRF and open redirect attacks (including DNS resolution checks), and generic error messages to prevent information leakage. It incorporates a two-layer PKCE architecture (client-to-server and server-to-provider) for defense-in-depth. Critical secrets like client secrets are hashed using bcrypt. The project explicitly warns against using environment variables for secrets in production and recommends secret managers, demonstrating high security awareness. OpenTelemetry tracing is implemented with explicit warnings against logging sensitive data, and reserved attribute keys prevent accidental logging of credentials. Rate limiting is applied to discovery endpoints, IP addresses, and user IDs. The code includes internal security warnings for development-only features (e.g., stdout exporters, insecure OTLP transport).