Skip to content

Add MCP OAuth 2.1 compliance — browser flow replaces copy-paste URLs #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rianvdm merged 19 commits into from
Mar 16, 2026
Merged

Add MCP OAuth 2.1 compliance — browser flow replaces copy-paste URLs #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
7a094bc
Add OAuth flow redesign spec
rianvdm Mar 15, 2026
a77f97f
Update OAuth flow spec after review iterations
rianvdm Mar 16, 2026
d0f6a92
feat: install @cloudflare/workers-oauth-provider
rianvdm Mar 16, 2026
319fb57
feat: update Env type for OAuth provider, remove JWT_SECRET
rianvdm Mar 16, 2026
8fc0f67
fix: remove OAuth signing key from console logs (security)
rianvdm Mar 16, 2026
0a441e8
refactor: createMcpServer factory with setContext for OAuth + session…
rianvdm Mar 16, 2026
7ffc335
feat: add DiscogsOAuthHandler skeleton
rianvdm Mar 16, 2026
720d5b8
feat: implement /.well-known/oauth-protected-resource endpoint
rianvdm Mar 16, 2026
b192bbb
feat: implement /authorize — Discogs request token + KV store
rianvdm Mar 16, 2026
5a156cf
feat: implement /discogs-callback — token exchange + completeAuthoriz…
rianvdm Mar 16, 2026
68fdb97
feat: implement /login and /callback manual login path with CSRF
rianvdm Mar 16, 2026
ee46f84
feat: add src/index-oauth.ts — MCP OAuth 2.1 entry point
rianvdm Mar 16, 2026
d04029b
feat: point wrangler.toml at index-oauth.ts, delete jwt.ts
rianvdm Mar 16, 2026
047a4bb
fix: update integration tests for OAuth flow
rianvdm Mar 16, 2026
b9beb07
test: routing and 401 behavior for index-oauth.ts
rianvdm Mar 16, 2026
0b66bde
test: full OAuth 2.1 round-trip integration test
rianvdm Mar 16, 2026
714f2f5
test: manual login round-trip integration test
rianvdm Mar 16, 2026
3b7f17e
Fix: Define SessionPayload locally in server.ts after removing jwt.ts
rianvdm Mar 16, 2026
184ad47
fix: add OAUTH_KV binding required by @cloudflare/workers-oauth-provider
rianvdm Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
301 changes: 301 additions & 0 deletions docs/superpowers/specs/2026-03-15-oauth-flow-design.md
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,12 @@
"wrangler": "^4.19.1"
},
"dependencies": {
"@cloudflare/workers-oauth-provider": "^0.3.0",
"@modelcontextprotocol/sdk": "^1.24.3",
"@types/crypto-js": "^4.2.2",
"agents": "^0.2.32",
"crypto-js": "^4.2.0",
"oauth-1.0a": "^2.2.6",
"zod": "^4.1.13"
}
}
}
4 changes: 0 additions & 4 deletions src/auth/discogs.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,10 +149,6 @@ export class DiscogsAuth {
const signature = await this.computeSignature(baseString, signingKey)
oauthParams.oauth_signature = signature

console.log('OAuth signature base string:', baseString)
console.log('OAuth signing key:', signingKey)
console.log('OAuth signature:', signature)

// Create authorization header
const authParams = Object.keys(oauthParams)
.map((key) => `${percentEncode(key)}="${percentEncode(oauthParams[key])}"`)
Expand Down
124 changes: 0 additions & 124 deletions src/auth/jwt.ts
View file
Open in desktop

This file was deleted.

Loading
Loading