Implementing OAuth for Streamable HTTP Server & Client without PKCE
@asibyl
Implementing OAuth for Streamable HTTP Server & Client without PKCE について
MCP Streamable HTTP Server with Device Flow OAuth
基本情報
設定
以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。
{
"mcpServers": {
"streamable-http-server": {
"command": "npx",
"args": [
"tsx",
"server/index_streamable.ts"
],
"env": {
"GITHUB_CLIENT_ID": "",
"GITHUB_CLIENT_SECRET": ""
}
}
}
}ツール
ツールは検出されませんでした
ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。
概要
What is Implementing OAuth for Streamable HTTP Server & Client without PKCE?
A reference implementation that adds OAuth support to the Streamable HTTP Server and Client using the device authorization grant flow (device flow) instead of browser-based redirects. It integrates with GitHub as the OAuth provider and is intended for developers who need headless OAuth authentication for MCP (Model Context Protocol) servers.
How to use Implementing OAuth for Streamable HTTP Server & Client without PKCE?
Clone the repository, install dependencies with npm install, set the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment variables from a GitHub OAuth App that has "Enable Device Flow" selected, then start the server with npx tsx server/index_streamable.ts and the client with npx tsx client/client.ts.
Key features of Implementing OAuth for Streamable HTTP Server & Client without PKCE
- Streamable HTTP Server with OAuth device flow support
- Streamable HTTP Client with headless OAuth support
- Replaces browser-based OAuth with device code flow
- No PKCE required due to device flow security
- Uses GitHub as the OAuth provider
Use cases of Implementing OAuth for Streamable HTTP Server & Client without PKCE
- Automating MCP server OAuth without an interactive browser
- Running OAuth flows in headless environments or CI/CD
- Testing Streamable HTTP OAuth without the MCP Inspector
FAQ from Implementing OAuth for Streamable HTTP Server & Client without PKCE
Why is PKCE not used?
Device flow does not require PKCE because there is no redirect or client-side code handling. The user interacts directly with GitHub, and all token exchange happens server-to-server. The device code is short-lived and tied to the requesting client.
What runtime dependencies are required?
Node.js, npm, and tsx for running TypeScript files.
How do I configure the GitHub OAuth app?
Go to GitHub Developer Settings, create an OAuth App, set a callback URL (e.g., http://localhost), and enable "Device Flow". Note the Client ID and Client Secret, then set them as environment variables.
Can I use a different OAuth provider?
The README only documents configuration with GitHub. The implementation is tied to GitHub’s device flow endpoint.
Where are tokens and sessions stored?
The server stores access tokens and session tokens in its own token store (in-memory). No persistent storage is described.
「開発者ツール」の他のコンテンツ
MCP Inspector
modelcontextprotocolVisual testing tool for MCP servers

Sentry
modelcontextprotocolModel Context Protocol Servers
MCP-Scan: An MCP Security Scanner
invariantlabs-aiSecurity scanner for AI agents, MCP servers and agent skills.
Grafana MCP server
grafanaMCP server for Grafana
OpenSumi
opensumiA framework helps you quickly build AI Native IDE products. MCP Client, supports Model Context Protocol (MCP) tools via MCP server.
コメント