A provider-agnostic OAuth 2.1 Authorization Server library for Model Context Protocol (MCP) servers, with support for multiple identity providers.
| Specification Version | Support Status | Documentation |
|---|---|---|
| 2025-11-25 | Full Support | Migration Guide |
| 2025-06-18 (previous) | Full Support | Backward compatible |
- Provider Abstraction - Google OAuth built-in, easy to add custom providers
- Storage Abstraction - In-memory storage included, simple interface for custom backends
- OAuth 2.1 Security - PKCE enforcement, refresh token rotation, secure defaults
- MCP 2025-11-25 - Protected Resource Metadata (RFC 9728), scope discovery, resource binding
- Observability - OpenTelemetry instrumentation with Prometheus and OTLP support
┌─────────────────┐
│ Your MCP App │
└────────┬────────┘
│
┌────▼─────┐
│ Handler │ HTTP layer
└────┬─────┘
│
┌────▼─────┐
│ Server │ Business logic
└──┬───┬───┘
│ │
┌───▼┐ ┌▼────────┐
│Pro-│ │ Storage │
│vider│ │ │
└────┘ └─────────┘
- Handler: HTTP request/response handling
- Server: OAuth business logic (provider-agnostic)
- Provider: Identity provider integration (Google, or custom)
- Storage: Token/client/flow persistence
package main
import (
"net/http"
"os"
oauth "github.com/giantswarm/mcp-oauth"
"github.com/giantswarm/mcp-oauth/providers/google"
"github.com/giantswarm/mcp-oauth/storage/memory"
)
func main() {
// 1. Choose a provider
provider, _ := google.NewProvider(&google.Config{
ClientID: os.Getenv("GOOGLE_CLIENT_ID"),
ClientSecret: os.Getenv("GOOGLE_CLIENT_SECRET"),
RedirectURL: "http://localhost:8080/oauth/callback",
Scopes: []string{"openid", "email", "profile"},
})
// 2. Choose storage
store := memory.New()
defer store.Stop()
// 3. Create OAuth server
server, _ := oauth.NewServer(
provider,
store, // TokenStore
store, // ClientStore
store, // FlowStore
&oauth.ServerConfig{
Issuer: "http://localhost:8080",
},
nil,
)
// 4. Create HTTP handler and routes
handler := oauth.NewHandler(server, nil)
mux := http.NewServeMux()
handler.RegisterProtectedResourceMetadataRoutes(mux, "/mcp")
mux.Handle("/mcp", handler.ValidateToken(yourMCPHandler))
http.ListenAndServe(":8080", mux)
}go get github.com/giantswarm/mcp-oauth| Document | Description |
|---|---|
| Getting Started | Installation, providers, storage, first OAuth server |
| Configuration | All configuration options, CORS, interstitial pages, proxy settings |
| Security Guide | Security features, best practices, production checklist |
| Observability | OpenTelemetry, Prometheus metrics, distributed tracing |
| Discovery Mechanisms | OAuth discovery (RFC 8414, RFC 9728) |
| MCP 2025-11-25 | New specification features and migration |
| Security Architecture | Deep-dive into security implementation |
The examples/ directory contains runnable examples:
- basic - Minimal setup with Google
- production - Full security features
- custom-scopes - Endpoint-specific scope requirements
- mcp-2025-11-25 - New MCP specification features
- prometheus - Observability integration
This library implements OAuth 2.1 with secure defaults:
- PKCE required (S256 only)
- Refresh token rotation with reuse detection
- Token encryption at rest (AES-256-GCM)
- Rate limiting and audit logging
See the Security Guide for configuration and the Security Architecture for implementation details.
Vulnerability Reporting: See SECURITY.md for responsible disclosure.
Contributions welcome. Especially:
- New provider implementations
- Storage backends
- Security enhancements
See CONTRIBUTING.md for guidelines.
Apache License 2.0