OAuth 2.0 authorization flow

[sveneld]

Motivation and Context

This pull request is a draft implementation of oAuth authorization. Its purpose is to outline the general approach, structure, and integration points for further discussion and iteration. At this stage, it is not intended to be a final solution, but rather a starting point for aligning on the overall direction.

How Has This Been Tested?

I attempted to test the Microsoft oAuth authorization flow using npx @modelcontextprotocol/inspector.

However, due to a known authorization bug in the MCP Inspector, the authorization process cannot be completed successfully at the moment. This issue prevents full end-to-end testing via the Inspector (see modelcontextprotocol/inspector#927).

Breaking Changes

No breaking changes are introduced. Existing functionality remains unaffected, and no updates to user code or configuration are required.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• [] I have read the MCP Documentation
• [] My code follows the repository's style guidelines
• New and existing tests pass locally
• [] I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

This pull request is intentionally a draft and is primarily meant to facilitate discussion around the oAuth authorization approach and architecture. The implementation may change significantly based on feedback before moving toward a final version.

[chr-hertel]

Thanks so much @sveneld to working on this - I'll give it a proper read and test the next days!

Do you think we could also bring a test setup into the repo maybe on top of keycloak or fusionauth docker containers in combination with some fixtures? even if microsoft and okta/auth0 are basically the most important ones i like those local test setups for being a bit more flexible and independent or what do you think?

[Nyholm]

Wow, thank you for working on this.

[Nyholm]

This is tightly coupled to StreamableHttpTransport. What do you think about making it a part of StreamableHttpTransport instead?

[CodeWithKyrian]

+1 on this too. Auth is a fundamental part of the StreamableHttpTransport

[sveneld]

Ok, I will add it to StreamableHttpTransport

[chr-hertel]

Another thought that I just had since I was a bit surprised not to see any 3rd party lib - did you consider using a ready-made package or explicitly tried to avoid it?

[sveneld]

Do you think we could also bring a test setup into the repo maybe on top of keycloak or fusionauth docker containers in combination with some fixtures? even if microsoft and okta/auth0 are basically the most important ones i like those local test setups for being a bit more flexible and independent or what do you think?

I can make in examples implementation with docker compose for using keycloak

Another thought that I just had since I was a bit surprised not to see any 3rd party lib - did you consider using a ready-made package or explicitly tried to avoid it?

I try to avoid using 3rd party lib for less dependency. If you have any suggestion about 3rd party lib for OAuth implementation which can be used in lib write it and I will look it.