Sponsored by Deepsite.site

MCP.so

Implementing OAuth for Streamable HTTP Server & Client without PKCE

Created By
asibyl8 months ago
MCP Streamable HTTP Server with Device Flow OAuth
# oauth
# http-server
OverviewContentToolsComments
Content

Implementing OAuth for Streamable HTTP Server & Client without PKCE

Overview

This repo provides:

  1. A Streamable HTTP Server with with support OAuth (via device flow)
  2. A Streamable HTTP Client with support for OAuth (in headless mode)

OAuth Support

At the time of writing this, I wasn't able to use the MCP Inspector to test a Streamable HTTP Server with OAuth. This set me down the path of implementing OAuth through device flow.

In a typical browser-based flow (say using the MCP Inspector):

  1. MCP Client requests connection to MCP server.
  2. Server authorizes clients through a GitHub AuthProvider (redirect to GitHub); once user authorizes the scope, Server's callback handler: a. Retrieves access token from GitHub, then retrieves user data b. Stores access token + new session token in its token store c. Generates temp auth code for client, saves it with newly generated session token d. Redirects back to client with temp auth code
  3. Client exchanges temp auth code for session token, uses for subsequent requests

I wanted to replace this browser flow based OAuth flow with device flow based OAuth. This would work as follows:

image

In device flow based OAuth, we don't need PKCE because:

  1. There's no redirect or client-side code handling.
  2. The device code flow is inherently more secure because:
    • User opens the URL and enters code on GitHub's page directly
    • All token exchange happens server-to-server
    • The device code itself is short-lived and can only be used by the same client that requested it (our server)
    • Only the user code is passed down from the server to the client

However, we also don't have the browser for session storage. We may still need to implement certain methods of that the MCP's OAuthServerProvider currently requires (e.g. exchangeAuthorizationCode and challengeForAuthorizationCode).

How to use

  1. Clone this repository. Install the dependencies.
npm install

  1. Go to your Developer Settings on GitHub (under Settings) and create an OAuth app. Enter "http://localhost for callback URL if needed. Be sure to select 'Enable Device Flow'. Note the Client ID and Client Secret.

  2. Set the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment variables in your local dev environment.

  3. Start the MCP Server.

npx tsx server/index_streamable.ts
  1. In a different terminal, start the MCP Client.
npx tsx client/client.ts
Recommend Servers
TraeBuild with Free GPT-4.1 & Claude 3.7. Fully MCP-Ready.
Zhipu Web SearchZhipu Web Search MCP Server is a search engine specifically designed for large models. It integrates four search engines, allowing users to flexibly compare and switch between them. Building upon the web crawling and ranking capabilities of traditional search engines, it enhances intent recognition capabilities, returning results more suitable for large model processing (such as webpage titles, URLs, summaries, site names, site icons, etc.). This helps AI applications achieve "dynamic knowledge acquisition" and "precise scenario adaptation" capabilities.
Howtocook Mcp基于Anduin2017 / HowToCook (程序员在家做饭指南)的mcp server,帮你推荐菜谱、规划膳食,解决“今天吃什么“的世纪难题; Based on Anduin2017/HowToCook (Programmer's Guide to Cooking at Home), MCP Server helps you recommend recipes, plan meals, and solve the century old problem of "what to eat today"
WindsurfThe new purpose-built IDE to harness magic
Tavily Mcp
MCP AdvisorMCP Advisor & Installation - Use the right MCP server for your needs
ChatWiseThe second fastest AI chatbot™
Playwright McpPlaywright MCP server
DeepChatYour AI Partner on Desktop
EdgeOne Pages MCPAn MCP service designed for deploying HTML content to EdgeOne Pages and obtaining an accessible public URL.
Visual Studio Code - Open Source ("Code - OSS")Visual Studio Code
MiniMax MCPOfficial MiniMax Model Context Protocol (MCP) server that enables interaction with powerful Text to Speech, image generation and video generation APIs.
Amap Maps高德地图官方 MCP Server
Jina AI MCP ToolsA Model Context Protocol (MCP) server that integrates with Jina AI Search Foundation APIs.
TimeA Model Context Protocol server that provides time and timezone conversion capabilities. This server enables LLMs to get current time information and perform timezone conversions using IANA timezone names, with automatic system timezone detection.
Context7Context7 MCP Server -- Up-to-date code documentation for LLMs and AI code editors
Baidu Map百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
BlenderBlenderMCP connects Blender to Claude AI through the Model Context Protocol (MCP), allowing Claude to directly interact with and control Blender. This integration enables prompt assisted 3D modeling, scene creation, and manipulation.
AiimagemultistyleA Model Context Protocol (MCP) server for image generation and manipulation using fal.ai's Stable Diffusion model.
CursorThe AI Code Editor
Serper MCP ServerA Serper MCP Server