Implements OAuth authentication by delegating authorization to Auth0, allowing secure user authentication and authorization for MCP clients without requiring manual client registration.
Provides Docker support for running and testing the MCP server with the Model Context Protocol inspector tool.
Supports environment variable configuration through .env files for easy server setup and configuration.
Mentioned as a potential third-party authorization server that the OAuth Proxy can delegate to, enabling user authentication through GitHub credentials.
Mentioned as a potential third-party authorization server that the OAuth Proxy can delegate to, enabling user authentication through Google credentials.
Leverages npm for package management and running scripts for development and testing.
Built with TypeScript, providing type safety and modern JavaScript features for the MCP server implementation.
A playground for Model Context Protocol (MCP) server built with TypeScript and Streamable HTTP transport with an OAuth Proxy for 3rd party authorization servers like Auth0.
MCP Server implementation: HTTP-Based Streamable transport using @modelcontextprotocol/sdk with HTTP transport, session management, and tool execution.
OAuth authentication/3rd party authorization: Implements an OAuth server for MCP clients to process 3rd party authorization servers like Auth0, providing Dynamic Application Registration for MCP server.
Storage: Provide storage for MCP server to store data like OAuth sessions, tokens, etc.
Session Management: Support stateful sessions by using replay of initial request.
Tools:
aws-ecs: Investigate the ECS service, task and cloudwatch logs using AWS ECS, Cloudwatch Logs and Bedrock
aws-s3: Get the list of S3 buckets and objects
system-time: Get the current system time in various formats with timezone support
echo: Echo a message back with transformations, repetition
streaming: Simulate real-time streaming data with live updates
project: Find keywords in the current project directory
Prompts: echo
The Model Context Protocol spec requires Dynamic Application Registration because it provides a standardized way for MCP clients to automatically register with new servers and obtain OAuth client IDs without user interaction. The main reason for this mechanism is because MCP clients can't know all possible services in advance and manual registration would create significant effort for users and it is not scalable. If do not support Dynamic Application Registration, then MCP clients need to provide OAuth client ID and secret to the server, which is not secure and not scalable.
However, enabling Dynamic Application Registration (if supported) becomes a security risk because the endpoint is a public endpoint that anyone can create OAuth clients. It can easily be abused, such as by flooding with unwanted client registrations. Hence, Auth0 has disabled Dynamic Application Registration
As a result, this project provides a way to enable Dynamic Application Registration for MCP server by using OAuth Proxy, but delegating authorization to 3rd party authorization server like Auth0, Github, Google, etc.
Endpoint | Description |
GET /ping | Ping the server |
POST /mcp | MCP protocol request with authentication |
DELETE /mcp | Session termination |
GET /.well-known/oauth-authorization-server | OAuth authorization server metadata |
GET /.well-known/oauth-protected-resource | OAuth protected resources metadata |
POST /oauth/register | Register a new MCP client |
GET /oauth/authorize | Handle authorization request |
POST /oauth/token | Handle token request |
POST /oauth/revoke | Handle token revocation |
GET /oauth/stats | Get OAuth service statistics |
GET /oauth/auth0-callback | Handle Auth0 callback |
Clone the repository:
Install dependencies:
Set up environment variables:
Set up the MCP server for local development
Create MCP configuration file for local build
Create a .cursor/mcp.json file in your project directory (for project-specific setup) or ~/.cursor/mcp.json in your home directory (for global setup):
npx @modelcontextprotocol/inspector to test the MCP serverCopy mcp-config.example.json to mcp-config.json
Edit mcp-config.json to point to the correct MCP server
Run the inspector
or
Create a new application in Auth0
Go to Auth0 Dashboard
Click on "Applications"
Click on "Create Application"
Name: MCP Server Boilerplate
Application Type: Regular Web Application
Click on "Create"
Set up the application
Click on "Settings"
Set the following settings:
Allowed Callback URLs: http://localhost:3000/oauth/auth0-callback
Allowed Web Origins: http://localhost:3000
Create a new API
Click on "APIs"
Click on "Create API"
Name: MCP Server Boilerplate
Identifier: urn:mcp-server-playground
JSON Web Token (JWT) Profile: Auth0
JSON Web Token (JWT) Signature Algorithm: RS256
Click on "Create"
When the MCP server is deployed as a cluster, it is not possible to make it stateful with multiple MCP Server instances because the transport is not shared between instances by design.
To make it truly stateful, I used Valkey to store the session id with the initial request.
When the request comes in to alternative MCP server instance, it will check if the session id is in the Valkey. If it is, it will replay the initial request and connect the transport to the server.
Inspired from https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/102
The below diagram shows the flow of the stateful session management.
Streaming is not working as expected. It returns the final result instead of streaming the data.
Metadata Discovery | Client Registration | Preparing Authorization |
Authorization with 3rd party server | Request Authorization and acquire authorization code | Token Request and Authentication Complete |
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
A comprehensive Model Context Protocol server template that implements HTTP-based transport with OAuth proxy for third-party authorization servers like Auth0, enabling AI tools to securely connect while supporting Dynamic Application Registration.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/chrisleekr/mcp-server-boilerplate'
If you have feedback or need assistance with the MCP directory API, please join our Discord server