v0.1.0
Immutable
release. Only release title and notes can be modified.
OAuth in your MCP server, instead of an API key in your client's config
First release. mcp-sso is a spec-correct OAuth 2.1 resource-server verifier plus a small AS-lite bridge for remote MCP servers: it speaks DCR + PKCE + consent to MCP clients (Claude Code, claude.ai, ChatGPT, Cursor) while your identity provider — Cloudflare Access, Microsoft Entra ID, or any OIDC provider — stays the identity source of truth. The bridge mints its own audience-bound tokens; upstream IdP tokens never pass through.
npm install mcp-ssoWhat's in v0.1.0
- Resource-server verifier — RFC 9728 Protected Resource Metadata (root + path-inserted),
WWW-Authenticatechallenges, scope step-up, fail-closed audience validation. - AS-lite bridge — RFC 7591 DCR (stateless or stored-client mode), PKCE S256, consent (approve/deny), refresh-token rotation with family replay-detection, RFC 6749 §5.2 wire errors, RFC 9207
iss. - Identity ports — Cloudflare Access, Microsoft Entra ID (multi-tenant, nonce-bound), and a dev-only stub for local testing.
- Framework adapters —
/fastify,/express,/hono. - Stores —
node:sqlite(recommended zero-ops production default) and an in-memory store, sharing one conformance suite. - Supply chain —
joseis the only runtime dependency; every pin is ≥15 days old; CI actions are SHA-pinned; this release itself is published via npm Trusted Publishing (OIDC, no token) with--provenance. - A published threat model (
docs/threat-model.md) and full contract surface (docs/contracts.md). - Verified end-to-end: the official MCP SDK client, Claude Code, and a claude.ai custom connector have all completed the full register → authorize → consent → token → call → refresh → revoke flow against the runnable example in
examples/fastify-sqlite.
Not yet in this release
Console-pairing identity (zero-IdP-setup onboarding), GitHub/Google identity presets, quickstart auto-keygen, CIMD, and the client_credentials grant are tracked for a future release — see the Roadmap section in the README.
Docs
- README — quickstart, alternatives comparison, live-client conformance matrix
- Contracts — full port/schema/error surface
- Threat model
- Dependency ledger
Full Changelog: https://github.com/acartag7/mcp-sso/commits/v0.1.0