OAuth MCP Server
A complete OAuth 2.1 server implementation for FastMCP with PKCE support.
⚠️ Security Warning
This is an advanced authentication pattern. Building a secure OAuth server requires deep expertise in authentication protocols, cryptography, and security best practices. The FastMCP documentation strongly recommends using Remote OAuth or OAuth Proxy instead unless you have compelling requirements.
See OAUTH_README.md for complete documentation.
Quick Start
Installation
Run the Server
The server will start on http://localhost:8000 with a demo OAuth client registered.
Test the OAuth Flow
In a separate terminal:
This will demonstrate the complete OAuth 2.1 flow including:
PKCE challenge/verifier generation
Authorization code exchange
Access token usage
Token refresh
Test Dynamic Client Registration
Register new OAuth clients dynamically at runtime:
Or use curl:
The server will respond with a client_id and client_secret that you can use immediately.
Test New OAuth Endpoints
Test all the new OAuth 2.0/2.1 endpoints:
This tests:
OAuth Authorization Server Metadata discovery
Token revocation (RFC 7009)
Token introspection (RFC 7662)
UserInfo endpoint
Demo Credentials
OAuth Client:
Client ID:
demo_clientClient Secret:
demo_secret
Demo User:
Username:
demo_userPassword:
demo_password
Project Structure
Features
✅ Full OAuth 2.1 implementation
✅ PKCE (Proof Key for Code Exchange)
✅ Authorization code flow
✅ Token refresh with rotation
✅ Token revocation (RFC 7009)
✅ Token introspection (RFC 7662)
✅ Scope validation
✅ State parameter for CSRF protection
✅ Dynamic Client Registration (DCR) - RFC 7591
✅ OAuth Authorization Server Metadata (RFC 8414)
✅ OAuth Protected Resource Metadata (RFC 9470)
✅ UserInfo endpoint for user profile
Documentation
See OAUTH_README.md for:
Detailed architecture
Security considerations
Production deployment guide
Database schema
Testing strategies
Troubleshooting
References
License
Copyright Anysphere Inc.