Overview
What is MCP with OAuth?
A sample project demonstrating how to secure an MCP server using OAuth2, following the MCP specification’s authorization section. It is built with Spring Boot and Spring Security.
How to use MCP with OAuth?
Run the server with ./mvnw spring-boot:run. Obtain an access token by calling POST /oauth2/token with grant_type=client_credentials and the client ID/secret oidc-client:secret. Then paste the token into the MCP Inspector (v0.6.0) to connect.
Key features of MCP with OAuth
- OAuth2 client credentials flow for token issuance
- Token validation via Spring Security OAuth2 Resource Server
- Token expiration set to 5 minutes
- Works only in the servlet stack (no reactive support for token issuance)
Use cases of MCP with OAuth
- Securing an MCP server with standard OAuth2 tokens
- Testing MCP Inspector connectivity with token‑authenticated endpoints
- Demonstrating Spring Authorization Server integration with MCP
FAQ from MCP with OAuth
How do I obtain an access token?
Send a POST request to http://localhost:8080/oauth2/token with grant_type=client_credentials and use Basic auth with credentials oidc-client:secret.
What are the required dependencies?
Spring Security for infrastructure, Spring Authorization Server for issuing tokens, and Spring Security OAuth2 Resource Server for authenticating tokens.
How long is the token valid?
The token is valid for only 5 minutes.
Does this work with reactive (WebFlux) applications?
No, Spring Authorization Server does not support the reactive stack for issuing tokens. Token issuance works only in the Servlet environment.