MCP Servers

模型上下文协议服务器、框架、SDK 和模板的综合目录。

M
MCP Oauth Dcr
作者 @whhygee
GitHub 仓库(2 星标)

OAuth 2.0 proxy that adds Dynamic Client Registration (DCR) to OAuth providers as per MCP spec

创建于 4/8/2026
更新于 about 4 hours ago
README
View Source
Repository documentation and setup instructions

mcp-oauth-dcr

OAuth 2.0 proxy that adds Dynamic Client Registration (DCR) to OAuth providers that don't support it natively — like GitHub. Built for MCP servers, which require DCR.

The problem

The MCP spec requires OAuth servers to support Dynamic Client Registration. GitHub OAuth doesn't. If you're building an MCP server that authenticates via GitHub, you're stuck.

How it works

This library sits between MCP clients and GitHub (or any OAuth provider), proxying the OAuth flow:

  1. Registration — MCP client calls /oauth/register. Instead of forwarding to GitHub (which would fail), the library generates a random proxy token and returns it as the client_secret. The real GitHub client secret never leaves your server.
  2. Authorization/oauth/login redirects to GitHub's authorize page, forwarding PKCE parameters.
  3. Callback/oauth/callback receives GitHub's redirect and bounces the user back to the MCP client (Cursor, VS Code, Claude Code, etc.).
  4. Token exchange/oauth/token validates the proxy token, then exchanges the authorization code with GitHub using the real client secret.

The library also serves the .well-known metadata documents that MCP clients use for discovery.

Usage

import (
    "github.com/whhygee/mcp-oauth-dcr"
    "golang.org/x/oauth2/github"
)

h := mcpoauth.NewHandler(&mcpoauth.Config{
    BaseURL:      "https://example.com",
    MCPEndpoint:  "/mcp",
    ClientID:     os.Getenv("GITHUB_CLIENT_ID"),
    ClientSecret: os.Getenv("GITHUB_CLIENT_SECRET"),
    RedirectURL:  "https://example.com/oauth/callback",
    Endpoint:     github.Endpoint,
    Scopes:       []string{"user", "repo"},
    TokenStore:   myStore, // you provide this
})

mux.HandleFunc(mcpoauth.PathProtectedResource, h.HandleProtectedResourceMetadata)
mux.HandleFunc(mcpoauth.PathAuthorizationServer, h.HandleAuthorizationServerMetadata)
mux.HandleFunc(mcpoauth.PathRegister, h.HandleRegister)
mux.HandleFunc(mcpoauth.PathLogin, h.HandleLogin)
mux.HandleFunc(mcpoauth.PathCallback, h.HandleCallback)
mux.HandleFunc(mcpoauth.PathToken, h.HandleToken)

TokenStore

You need to provide a TokenStore implementation to persist proxy tokens. The interface is two methods:

type TokenStore interface {
    Put(ctx context.Context, token string) error
    Exists(ctx context.Context, token string) bool
}

Back it with whatever you have — Redis, SQL, Datastore, or an in-memory map for development.

Redirect URI allowlist

Only known-safe redirect URIs are accepted: custom schemes (cursor://, vscode://, vscode-insiders://) and localhost addresses. Override AllowedRedirectSchemes to add more:

mcpoauth.AllowedRedirectSchemes = append(mcpoauth.AllowedRedirectSchemes, "myapp")

Not just GitHub

Despite the name, Endpoint accepts any oauth2.Endpoint. If your OAuth provider lacks DCR support, this works for it too.

License

MIT

快速设置
此服务器的安装指南

安装命令 (包未发布)

git clone https://github.com/whhygee/mcp-oauth-dcr
手动安装: 请查看 README 获取详细的设置说明和所需的其他依赖项。

Cursor 配置 (mcp.json)

{ "mcpServers": { "whhygee-mcp-oauth-dcr": { "command": "git", "args": [ "clone", "https://github.com/whhygee/mcp-oauth-dcr" ] } } }