What is Mcp Oauth Server

mcp_oauth_server is a Streamable HTTP Server that implements OAuth using device flow, allowing secure authentication without the need for PKCE.

Use cases

Use cases include IoT devices needing secure access to APIs, headless applications requiring authentication without user interaction, and any application leveraging OAuth for secure resource access.

How to use

To use mcp_oauth_server, set up the server and client according to the provided documentation. Clients can connect to the server, authenticate via GitHub, and utilize the OAuth device flow for secure token exchange.

Key features

Key features include support for OAuth via device flow, streamable HTTP server and client capabilities, and enhanced security through server-to-server token exchanges.

Where to use

mcp_oauth_server can be used in applications requiring secure authentication mechanisms, particularly in environments where traditional browser-based OAuth flows are impractical.

Implementing OAuth for Streamable HTTP Server & Client without PKCE

Overview

This repo provides:

1. A Streamable HTTP Server with with support OAuth (via device flow)
2. A Streamable HTTP Client with support for OAuth (in headless mode)

OAuth Support

At the time of writing this, I wasn’t able to use the MCP Inspector to test a Streamable HTTP Server with OAuth. This set me down the path of implementing OAuth through device flow.

In a typical browser-based flow (say using the MCP Inspector):

1. MCP Client requests connection to MCP server.
2. Server authorizes clients through a GitHub AuthProvider (redirect to GitHub); once user authorizes the scope, Server’s callback handler:
   a. Retrieves access token from GitHub, then retrieves user data
   b. Stores access token + new session token in its token store
   c. Generates temp auth code for client, saves it with newly generated session token
   d. Redirects back to client with temp auth code
3. Client exchanges temp auth code for session token, uses for subsequent requests

I wanted to replace this browser flow based OAuth flow with device flow based OAuth. This would work as follows:

In device flow based OAuth, we don’t need PKCE because:

1. There’s no redirect or client-side code handling.
2. The device code flow is inherently more secure because:
   • User opens the URL and enters code on GitHub’s page directly
   • All token exchange happens server-to-server
   • The device code itself is short-lived and can only be used by the same client that requested it (our server)
   • Only the user code is passed down from the server to the client

However, we also don’t have the browser for session storage. We may still need to implement certain methods of that the MCP’s OAuthServerProvider currently requires (e.g. exchangeAuthorizationCode and challengeForAuthorizationCode).

How to use

1. Clone this repository. Install the dependencies.

npm install

2. Go to your Developer Settings on GitHub (under Settings) and create an OAuth app. Enter "http://localhost for callback URL if needed. Be sure to select ‘Enable Device Flow’. Note the Client ID and Client Secret.

3. Set the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment variables in your local dev environment.

4. Start the MCP Server.

npx tsx server/index_streamable.ts

5. In a different terminal, start the MCP Client.

npx tsx client/client.ts