MCP Kafka Schema Reg

github-oauth-summary.md•11.7 kB

# 🔓 GitHub OAuth 2.1 Integration Summary **Major Update**: GitHub OAuth is now handled through the **generic OAuth 2.1 discovery system** rather than as a provider-specific integration. This represents a significant architectural improvement that simplifies configuration and improves maintainability. ## 🎯 New Architecture: Generic OAuth 2.1 Approach ### **Before (Provider-Specific - v1.x)** ```bash # Required multiple GitHub-specific variables export AUTH_PROVIDER=github export GITHUB_CLIENT_ID=your_client_id export GITHUB_CLIENT_SECRET=your_client_secret export GITHUB_ORG=your-organization export AUTH_ISSUER_URL=https://api.github.com # ... many more variables ``` ### **After (Generic OAuth 2.1 - v2.x)** ```bash # Just 2 core variables for GitHub! export AUTH_ISSUER_URL="https://github.com" export AUTH_AUDIENCE="your-github-client-id" ``` ## 🚀 Simplified Configuration ### Basic GitHub OAuth 2.1 Setup ```bash # Enable OAuth 2.1 authentication export ENABLE_AUTH=true # GitHub configuration (generic approach) export AUTH_ISSUER_URL="https://github.com" export AUTH_AUDIENCE="your-github-client-id" # Optional: Configure scopes export AUTH_VALID_SCOPES="read,write,admin" export AUTH_DEFAULT_SCOPES="read" export AUTH_REQUIRED_SCOPES="read" ``` ### **GitHub OAuth 2.1 Features** | Feature | Status | Description | |---------|--------|-------------| | **Generic Discovery** | ✅ | Uses universal OAuth 2.1 configuration | | **Automatic Fallback** | ✅ | Handles GitHub's limited OAuth 2.1 support | | **Token Validation** | ✅ | GitHub API-based validation | | **Scope Mapping** | ✅ | GitHub scopes → MCP permission mapping | | **Organization Control** | ✅ | Optional org-only access restriction | | **Multi-Token Support** | ✅ | PAT, OAuth, GitHub Apps tokens | ## 🔍 GitHub's OAuth 2.1 Limitations & Fallback Handling GitHub has **limited OAuth 2.1 support**, so the server automatically applies fallback configuration: ### **Automatic Detection & Fallback** 1. **Discovery Attempt**: Server tries `https://github.com/.well-known/oauth-authorization-server` 2. **Fallback Trigger**: When discovery fails, GitHub fallback is activated 3. **Hardcoded Endpoints**: Uses known GitHub API endpoints 4. **Seamless Operation**: No configuration changes needed ### **GitHub-Specific Endpoints (Automatic)** ```json { "issuer": "https://github.com", "authorization_endpoint": "https://github.com/login/oauth/authorize", "token_endpoint": "https://github.com/login/oauth/access_token", "userinfo_endpoint": "https://api.github.com/user", "revocation_endpoint": "https://github.com/settings/connections/applications/{client_id}", "fallback_mode": true, "oauth_2_1_limited": true } ``` ## 🎯 Token Support & Validation ### **Supported GitHub Token Types** | Token Type | Format | Validation Method | OAuth 2.1 Support | |------------|--------|-------------------|-------------------| | **Personal Access Token** | `ghp_*` | GitHub API | ✅ Supported | | **OAuth App Token** | `gho_*` | GitHub API | ✅ Supported | | **User Access Token** | `ghu_*` | GitHub API | ✅ Supported | | **Server Token** | `ghs_*` | GitHub API | ✅ Supported | | **Refresh Token** | `ghr_*` | GitHub API | ✅ Supported | | **GitHub App JWT** | JWT format | API + Claims | ✅ Supported | ### **Token Validation Flow** 1. **Token Detection**: Automatic GitHub token recognition 2. **API Validation**: Calls GitHub API for token verification 3. **Scope Extraction**: Maps GitHub scopes to MCP permissions 4. **Organization Check**: Verifies org membership (if configured) ## 🔧 Migration from Provider-Specific Setup ### **Automatic Migration** Legacy GitHub configurations are automatically detected and migrated: ```bash # OLD (v1.x) - Still works but deprecated export AUTH_PROVIDER=github export GITHUB_CLIENT_ID=your_client_id export GITHUB_CLIENT_SECRET=your_client_secret export GITHUB_ORG=your-organization # NEW (v2.x) - Recommended generic approach export AUTH_ISSUER_URL="https://github.com" export AUTH_AUDIENCE="your_client_id" ``` ### **Configuration Benefits** | Aspect | Provider-Specific (v1.x) | Generic OAuth 2.1 (v2.x) | |--------|---------------------------|---------------------------| | **Variables** | 8+ GitHub-specific | 2 universal | | **Maintenance** | GitHub-specific bugs | Generic OAuth 2.1 handling | | **Updates** | Manual code changes | Automatic via discovery | | **Compatibility** | GitHub only | Any OAuth 2.1 provider | | **Standards** | Custom implementation | RFC 8414 compliance | ## 🎯 Scope Mapping (Unchanged) GitHub scopes are automatically mapped to MCP permissions: ### **GitHub → MCP Scope Mapping** | GitHub Scope | MCP Permission | Description | |--------------|----------------|-------------| | `read:user` | `read` | Read user profile information | | `user:email` | `read` | Access user email address | | `read:org` | `read` | Read organization membership | | `repo` | `write` | Repository access (implies schema write access) | | `admin:org` | `admin` | Organization administration | | `admin:repo_hook` | `admin` | Repository webhook administration | ### **Permission Hierarchy** - **`admin`** includes `write` and `read` - **`write`** includes `read` - **`read`** is the minimum required permission ## 🏗️ GitHub App Integration GitHub Apps are automatically supported through the generic OAuth 2.1 approach: ### **GitHub App Configuration** ```bash # GitHub App with OAuth 2.1 (v2.x) export AUTH_ISSUER_URL="https://github.com" export AUTH_AUDIENCE="your-github-app-id" # GitHub App environment (optional) export GITHUB_APP_ID="your_app_id" export GITHUB_APP_PRIVATE_KEY_PATH="/path/to/private-key.pem" ``` ### **JWT Token Validation** - **Automatic Detection**: GitHub App JWT tokens are automatically recognized - **Claims Validation**: Standard JWT claims validation - **Scope Extraction**: GitHub App permissions mapped to MCP scopes - **Installation Validation**: Verifies GitHub App installation ## 🔒 Organization-Based Access Control Organization restriction is maintained through the generic approach: ### **Organization Configuration** ```bash # Generic OAuth 2.1 with organization restriction export AUTH_ISSUER_URL="https://github.com" export AUTH_AUDIENCE="your-client-id" export GITHUB_ORG="your-organization" # Optional restriction ``` ### **Organization Validation** 1. **Token Validation**: Standard GitHub API token validation 2. **User Information**: Retrieves user profile and organization membership 3. **Membership Check**: Verifies user is member of specified organization 4. **Access Decision**: Grants/denies access based on membership ## 🧪 Testing GitHub OAuth 2.1 ### **Discovery Testing** ```bash # Test OAuth 2.1 discovery (will show GitHub fallback) curl http://localhost:8000/.well-known/oauth-authorization-server | jq # Example response showing GitHub fallback { "issuer": "https://github.com", "fallback_mode": true, "oauth_2_1_limited": true, "note": "GitHub has limited OAuth 2.1 support - using fallback configuration" } ``` ### **Token Testing** ```bash # Test with GitHub Personal Access Token export OAUTH_TOKEN="ghp_your_personal_access_token" # Test with development token export OAUTH_TOKEN="dev-token-read,write,admin" # Test API access curl -H "Authorization: Bearer $OAUTH_TOKEN" \ http://localhost:8000/.well-known/oauth-protected-resource ``` ### **MCP Client Testing** ```bash # Test GitHub OAuth through MCP "Test the OAuth discovery endpoints for GitHub" "Show me GitHub OAuth configuration and token validation" "List all schema contexts using GitHub authentication" ``` ## 📊 GitHub vs Other OAuth 2.1 Providers | Feature | Azure AD | Google | Okta | Keycloak | GitHub | |---------|----------|---------|------|----------|--------| | **OAuth 2.1 Discovery** | ✅ Full | ✅ Full | ✅ Full | ✅ Full | ⚠️ Fallback | | **RFC 8414 Support** | ✅ | ✅ | ✅ | ✅ | ❌ | | **PKCE Support** | ✅ | ✅ | ✅ | ✅ | ✅ | | **Resource Indicators** | ✅ | ✅ | ✅ | ✅ | ❌ | | **Generic Configuration** | ✅ | ✅ | ✅ | ✅ | ✅ | | **API Token Validation** | ❌ | ❌ | ❌ | ❌ | ✅ | | **Organization Control** | ✅ | ✅ | ✅ | ✅ | ✅ | **Note**: GitHub's fallback mode provides the same functionality as full OAuth 2.1 providers, just without standards-based discovery. ## 🔮 Future GitHub OAuth 2.1 Improvements ### **When GitHub Adds Full OAuth 2.1 Support** - **Automatic Detection**: Server will automatically detect and use native discovery - **No Configuration Changes**: Existing configurations will work unchanged - **Enhanced Features**: Full Resource Indicators and advanced OAuth 2.1 features - **Improved Performance**: Native discovery instead of fallback mode ### **Potential GitHub Enhancements** 1. **RFC 8414 Discovery**: Standard `.well-known/oauth-authorization-server` endpoint 2. **Resource Indicators**: RFC 8707 support for resource-specific tokens 3. **Enhanced PKCE**: Improved Proof Key for Code Exchange implementation 4. **Token Introspection**: RFC 7662 token introspection endpoint ## 📚 Quick Setup Guide ### **1. Create GitHub OAuth App** ```bash # Visit: https://github.com/settings/applications/new # Configure redirect URI: https://your-mcp-server.com/auth/callback ``` ### **2. Generic OAuth 2.1 Configuration** ```bash export ENABLE_AUTH=true export AUTH_ISSUER_URL="https://github.com" export AUTH_AUDIENCE="your-github-client-id" ``` ### **3. Optional Organization Restriction** ```bash export GITHUB_ORG="your-organization" ``` ### **4. Deploy and Test** ```bash # Test discovery curl http://localhost:8000/.well-known/oauth-authorization-server # Test with MCP client "Test GitHub OAuth authentication and show me the configuration" ``` ## ✅ Benefits of Generic GitHub OAuth 2.1 ### **🚀 Simplified Configuration** - **75% fewer variables** (2 vs 8+ GitHub-specific variables) - **Universal approach** consistent with other providers - **No GitHub-specific knowledge** required ### **🔧 Easier Maintenance** - **No GitHub-specific bugs** - handled through generic OAuth 2.1 system - **Automatic updates** when GitHub improves OAuth 2.1 support - **Consistent behavior** across all OAuth providers ### **🔮 Future-Proof** - **Automatic migration** when GitHub adds full OAuth 2.1 support - **Standards compliance** where possible - **Graceful fallback** for GitHub's current limitations ### **🛡️ Same Security Features** - **Token validation** through GitHub API - **Organization restrictions** maintained - **Scope mapping** unchanged - **PKCE support** where available --- ## 📋 Migration Checklist - [ ] **Update Configuration**: Replace `AUTH_PROVIDER=github` with `AUTH_ISSUER_URL="https://github.com"` - [ ] **Set Audience**: Configure `AUTH_AUDIENCE="your-github-client-id"` - [ ] **Remove Legacy Variables**: Clean up `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET` (optional) - [ ] **Test Discovery**: Verify `/.well-known/oauth-authorization-server` endpoint - [ ] **Test Authentication**: Confirm GitHub tokens still work - [ ] **Test Organization Control**: Verify organization restrictions (if used) - [ ] **Update Documentation**: Update internal docs to reflect generic approach --- > **🎉 GitHub OAuth 2.1 integration through the generic discovery system represents a major architectural improvement**. While GitHub's OAuth 2.1 support is limited, the server's intelligent fallback system provides seamless functionality with dramatically simplified configuration! 🚀 **The future is generic OAuth 2.1 - no more provider-specific configurations needed!** 🔐

Loading blob content...

Latest Blog Posts

What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash
What is Streamable HTTP in MCP?
By punkpeye on January 2, 2026.
Streamable HTTP

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/aywengo/kafka-schema-reg-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

github-oauth-summary.md•11.7 kB