🔐 MCP OAuth Server OAuth 2.1 + MCP

📊 Available MCP Tools

All tools are protected by OAuth 2.1 tokens. Authentication via external OIDC provider.

🔍 OAuth 2.1 Authorization Server Discovery

This server acts as an OAuth 2.1 Authorization Server for MCP clients like Cursor. It uses external OIDC providers for user authentication:

GET /.well-known/oauth-authorization-server

MCP clients will automatically discover OAuth endpoints and perform standard OAuth 2.1 flows with PKCE support.

🚀 MCP Client Integration

For MCP clients (like Cursor):

  1. Configure your MCP client to connect to: http://localhost:8080/sse
  2. The client will automatically discover OAuth endpoints via the metadata endpoint
  3. Client performs OAuth 2.1 authorization flow with PKCE
  4. User authenticates via external OIDC provider (redirected automatically)
  5. Client receives access token and can access MCP tools

Cursor Configuration:

{
  "mcp-oauth-server": {
    "transport": "sse",
    "url": "http://localhost:8080/sse"
  }
}

🔧 OAuth 2.1 Authorization Server Endpoints

Discovery & Registration:

GET /.well-known/oauth-authorization-server - Authorization Server Metadata
POST /register - Dynamic Client Registration

OAuth Flow:

GET /authorize - Authorization Endpoint
POST /token - Token Endpoint
GET /callback - OAuth Callback (from OIDC Provider)

Protected Resource:

POST /sse - MCP Server-Sent Events (Bearer token required)

🛡️ Security Features

⚙️ Configuration

OAuth 2.1 Flow:

1. MCP Client discovers OAuth endpoints via /.well-known/oauth-authorization-server
2. Client registers (optional) via POST /register  
3. Client redirects user to /authorize
4. Server redirects to external OIDC provider for authentication
5. OIDC provider redirects back to /callback
6. Server issues access token via /token
7. Client accesses /sse with Bearer token

This server acts as a complete OAuth 2.1 Authorization Server, using external OIDC providers for user authentication while managing tokens and client relationships locally.