mcp-oauth-server
Verified Safeby wille
Overview
This server provides an OAuth 2.1 Authorization Server implementation, compliant with the MCP Authorization Spec, to handle authentication and authorization for MCP clients and resource servers.
Installation
pnpm example:serverEnvironment Variables
- MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL
- DEBUG
Security Notes
The server demonstrates good security practices including adherence to OAuth 2.1 specifications like PKCE (Proof Key for Code Exchange) for authorization code flow. It implements rate limiting on critical endpoints (authorization, token, revocation, client registration) to prevent abuse and brute-force attacks. Client secrets are dynamically generated using cryptographically secure methods. It enforces HTTPS for issuer URLs in production (with a development override warning). CORS is enabled for public endpoints which is standard for an OAuth Authorization Server. No direct use of `eval` or obvious hardcoded sensitive secrets were found. However, for production, it explicitly requires a custom, persistent storage backend, as the default is in-memory.
Similar Servers
frontmcp
The CodeCall plugin provides AgentScript-based meta-tools for orchestrating MCP tools, enabling programmatic discovery, description, execution, and invocation of server capabilities within a sandboxed JavaScript environment.
example-remote-server
A reference server demonstrating all Model Context Protocol (MCP) features and OAuth 2.0 authentication patterns.
oauth-mcp-proxy
OAuth 2.1 authentication library for Go MCP servers, supporting both mark3labs and official SDKs for token validation and caching.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.