OAuth 2.1 authorization support has been added to the MCP Framework, implementing the Model Context Protocol authorization specification. This enables secure user authentication with authorization servers like AWS Cognito, Auth0, Okta, and others.
src/auth/providers/oauth.ts(630+ lines)- Complete OAuth 2.1 provider with PKCE
- Token validation (JWT and introspection)
- Protected Resource Metadata generation
- Authorization flow management
- Token caching with configurable TTL
-
OAUTH_GUIDE.md- Comprehensive OAuth setup guide with:- Feature overview
- Quick start examples
- AWS Cognito setup instructions
- Authorization flow details
- Advanced configuration
- Security considerations
- Testing instructions
- Troubleshooting guide
-
OAUTH_IMPLEMENTATION_SUMMARY.md- Technical implementation summary -
OAUTH_QUICK_START.md- 5-minute quick start guide
examples/oauth-simple-example.ts- Minimal OAuth setupexamples/oauth-cognito-example.ts- Complete Cognito integrationexamples/oauth-custom-validator.ts- Advanced token validationexamples/oauth-test-client.ts- OAuth testing clientexamples/README.md- Examples documentation with flow diagrams
-
src/auth/types.ts- Added optional
headersfield toAuthProvider.getAuthError()return type - Added
oauthendpoint option toAuthConfig.endpoints
- Added optional
-
src/auth/index.ts- Export
OAuthProviderclass - Export
OAuthConfigtype
- Export
-
src/transports/sse/types.ts- Added
oauthconfiguration section with callback handlers - Updated
SSETransportConfigInternalto include oauth option
- Added
-
src/transports/sse/server.ts- Added
/.well-known/oauth-protected-resourceendpoint (RFC 9728) - Added OAuth callback handler at
/oauth/callback - Enhanced authentication handling with OAuth-specific WWW-Authenticate headers
- Added
handleProtectedResourceMetadata()method - Added
handleOAuthCallback()method - Updated
handleAuthentication()to support OAuth provider
- Added
-
README.md- Added OAuth 2.1 authentication section
- Updated features list to mention OAuth support
- Added links to OAuth documentation
- ✅ Authorization Code Flow with PKCE (RFC 7636)
- ✅ Token validation (JWT and opaque tokens)
- ✅ State parameter for CSRF protection
- ✅ Token caching with configurable TTL
- ✅ Automatic token cache cleanup
-
✅ RFC 9728: OAuth 2.0 Protected Resource Metadata
/.well-known/oauth-protected-resourceendpoint- Automatic metadata generation
-
✅ RFC 8707: Resource Indicators for OAuth 2.0
resourceparameter in authorization/token requests- Audience validation in tokens
-
✅ RFC 8414: OAuth 2.0 Authorization Server Metadata
- Automatic metadata discovery
- Endpoint caching
-
✅ RFC 7636: Proof Key for Code Exchange
- SHA256 code challenge generation
- Code verifier validation
- ✅ Strict audience validation (prevents token misuse)
- ✅ PKCE mandatory for all flows
- ✅ WWW-Authenticate headers with proper metadata
- ✅ Token passthrough prevention
- ✅ Configurable security policies
- ✅ AWS Cognito compatibility
- ✅ Auth0 support
- ✅ Okta support
- ✅ Custom token validators
- ✅ Generic OAuth 2.1 server support
// OAuth Provider
export { OAuthProvider } from "./auth/providers/oauth.js";
// OAuth Types
export type { OAuthConfig } from "./auth/providers/oauth.js";// SSE Transport OAuth Configuration
interface SSETransportConfig {
oauth?: {
onCallback?: (params: {
accessToken: string;
refreshToken?: string;
expiresIn?: number;
state?: string;
}) => Promise<void> | void;
onError?: (error: Error, state?: string) => Promise<void> | void;
};
}
// OAuth Provider Configuration
interface OAuthConfig {
authorizationServer: string;
clientId?: string;
clientSecret?: string;
resourceUri: string;
callbackPath?: string;
tokenEndpoint?: string;
jwksUri?: string;
requiredScopes?: string[];
customValidator?: (token: string) => Promise<{ valid: boolean; data?: Record<string, any> }>;
tokenCacheTTL?: number;
supportDynamicRegistration?: boolean;
authorizationEndpoint?: string;
strictAudienceValidation?: boolean;
metadata?: Record<string, any>;
}import { MCPServer, APIKeyAuthProvider } from "mcp-framework";
const server = new MCPServer({
transport: {
type: "sse",
options: {
auth: {
provider: new APIKeyAuthProvider({
keys: [process.env.API_KEY]
})
}
}
}
});import { MCPServer, OAuthProvider } from "mcp-framework";
const server = new MCPServer({
transport: {
type: "sse",
options: {
auth: {
provider: new OAuthProvider({
authorizationServer: "https://your-domain.auth.us-east-1.amazoncognito.com",
clientId: process.env.COGNITO_CLIENT_ID,
clientSecret: process.env.COGNITO_CLIENT_SECRET,
resourceUri: "https://mcp.example.com",
requiredScopes: ["openid", "profile"],
}),
endpoints: {
sse: false,
messages: true,
}
},
oauth: {
onCallback: async ({ accessToken, refreshToken }) => {
console.log("User authorized successfully!");
},
onError: async (error) => {
console.error("Authorization failed:", error);
}
}
}
}
});✅ Fully Backward Compatible
- All existing authentication providers (JWT, API Key) continue to work unchanged
- OAuth is opt-in - no breaking changes to existing code
- SSE transport works exactly as before if OAuth is not configured
- No changes to STDIO transport
- OAuth provider can be unit tested independently
- PKCE generation is deterministic and testable
- Token validation logic is isolated
- Test client provided (
examples/oauth-test-client.ts) - Full example servers for various scenarios
- Step-by-step testing instructions in documentation
| Document | Purpose |
|---|---|
OAUTH_GUIDE.md |
Complete setup and usage guide |
OAUTH_QUICK_START.md |
5-minute quick start |
OAUTH_IMPLEMENTATION_SUMMARY.md |
Technical details |
examples/README.md |
Example usage and flow diagrams |
README.md |
Updated with OAuth section |
- Replace
APIKeyAuthProviderwithOAuthProvider - Configure OAuth settings (authorization server, client ID, resource URI)
- Add OAuth callback handlers
- Update client to use OAuth flow instead of static API keys
- Replace
JWTAuthProviderwithOAuthProvider - Configure authorization server (instead of JWT secret)
- Optionally use
customValidatorfor JWT validation with JWKS - Add OAuth callback handlers
- HTTP Only: OAuth requires HTTP-based transport (SSE)
- No Token Persistence: Framework doesn't persist refresh tokens
- Basic JWT Validation: Use
customValidatorfor production JWKS validation - No Dynamic Registration: Clients must pre-register with auth server
Planned improvements:
- Built-in JWKS-based JWT validation
- Refresh token management
- Token revocation support
- Full dynamic client registration (RFC 7591)
- OpenID Connect support
- Multi-tenant authorization
No new dependencies added - uses existing dependencies:
jsonwebtoken(already present for JWT auth)- Native
cryptomodule for PKCE - Native
fetchfor HTTP requests
- Token validation results are cached (default 5 minutes)
- PKCE session cleanup runs automatically
- Authorization server metadata is cached (1 hour)
- Minimal overhead - only validates tokens on protected endpoints
✅ PKCE mandatory for all authorization flows ✅ State parameter prevents CSRF ✅ Strict audience validation prevents token misuse ✅ Token caching reduces validation overhead ✅ Tokens not logged or exposed ✅ HTTPS enforcement for authorization server ✅ Proper WWW-Authenticate headers ✅ No token passthrough to upstream services
- Implementation Date: October 30, 2025
- MCP Framework Version: 0.1.29+
- OAuth Specification: OAuth 2.1 (draft-ietf-oauth-v2-1-13)
Implementation completed by AI Assistant for MCP Framework.