MCP.so
ログイン

Implementing OAuth for Streamable HTTP Server & Client without PKCE

@asibyl

Implementing OAuth for Streamable HTTP Server & Client without PKCE について

MCP Streamable HTTP Server with Device Flow OAuth

基本情報

カテゴリ

開発者ツール

ランタイム

node

トランスポート

stdio

公開者

asibyl

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "streamable-http-server": {
      "command": "npx",
      "args": [
        "tsx",
        "server/index_streamable.ts"
      ],
      "env": {
        "GITHUB_CLIENT_ID": "",
        "GITHUB_CLIENT_SECRET": ""
      }
    }
  }
}

ツール

ツールは検出されませんでした

ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。

概要

What is Implementing OAuth for Streamable HTTP Server & Client without PKCE?

A reference implementation that adds OAuth support to the Streamable HTTP Server and Client using the device authorization grant flow (device flow) instead of browser-based redirects. It integrates with GitHub as the OAuth provider and is intended for developers who need headless OAuth authentication for MCP (Model Context Protocol) servers.

How to use Implementing OAuth for Streamable HTTP Server & Client without PKCE?

Clone the repository, install dependencies with npm install, set the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment variables from a GitHub OAuth App that has "Enable Device Flow" selected, then start the server with npx tsx server/index_streamable.ts and the client with npx tsx client/client.ts.

Key features of Implementing OAuth for Streamable HTTP Server & Client without PKCE

  • Streamable HTTP Server with OAuth device flow support
  • Streamable HTTP Client with headless OAuth support
  • Replaces browser-based OAuth with device code flow
  • No PKCE required due to device flow security
  • Uses GitHub as the OAuth provider

Use cases of Implementing OAuth for Streamable HTTP Server & Client without PKCE

  • Automating MCP server OAuth without an interactive browser
  • Running OAuth flows in headless environments or CI/CD
  • Testing Streamable HTTP OAuth without the MCP Inspector

FAQ from Implementing OAuth for Streamable HTTP Server & Client without PKCE

Why is PKCE not used?

Device flow does not require PKCE because there is no redirect or client-side code handling. The user interacts directly with GitHub, and all token exchange happens server-to-server. The device code is short-lived and tied to the requesting client.

What runtime dependencies are required?

Node.js, npm, and tsx for running TypeScript files.

How do I configure the GitHub OAuth app?

Go to GitHub Developer Settings, create an OAuth App, set a callback URL (e.g., http://localhost), and enable "Device Flow". Note the Client ID and Client Secret, then set them as environment variables.

Can I use a different OAuth provider?

The README only documents configuration with GitHub. The implementation is tied to GitHub’s device flow endpoint.

Where are tokens and sessions stored?

The server stores access tokens and session tokens in its own token store (in-memory). No persistent storage is described.

コメント

「開発者ツール」の他のコンテンツ