Skip to content

v0.1.0

Choose a tag to compare

@github-actions github-actions released this 04 Jul 09:58
Immutable release. Only release title and notes can be modified.

OAuth in your MCP server, instead of an API key in your client's config

First release. mcp-sso is a spec-correct OAuth 2.1 resource-server verifier plus a small AS-lite bridge for remote MCP servers: it speaks DCR + PKCE + consent to MCP clients (Claude Code, claude.ai, ChatGPT, Cursor) while your identity provider — Cloudflare Access, Microsoft Entra ID, or any OIDC provider — stays the identity source of truth. The bridge mints its own audience-bound tokens; upstream IdP tokens never pass through.

npm install mcp-sso

What's in v0.1.0

  • Resource-server verifier — RFC 9728 Protected Resource Metadata (root + path-inserted), WWW-Authenticate challenges, scope step-up, fail-closed audience validation.
  • AS-lite bridge — RFC 7591 DCR (stateless or stored-client mode), PKCE S256, consent (approve/deny), refresh-token rotation with family replay-detection, RFC 6749 §5.2 wire errors, RFC 9207 iss.
  • Identity ports — Cloudflare Access, Microsoft Entra ID (multi-tenant, nonce-bound), and a dev-only stub for local testing.
  • Framework adapters/fastify, /express, /hono.
  • Storesnode:sqlite (recommended zero-ops production default) and an in-memory store, sharing one conformance suite.
  • Supply chainjose is the only runtime dependency; every pin is ≥15 days old; CI actions are SHA-pinned; this release itself is published via npm Trusted Publishing (OIDC, no token) with --provenance.
  • A published threat model (docs/threat-model.md) and full contract surface (docs/contracts.md).
  • Verified end-to-end: the official MCP SDK client, Claude Code, and a claude.ai custom connector have all completed the full register → authorize → consent → token → call → refresh → revoke flow against the runnable example in examples/fastify-sqlite.

Not yet in this release

Console-pairing identity (zero-IdP-setup onboarding), GitHub/Google identity presets, quickstart auto-keygen, CIMD, and the client_credentials grant are tracked for a future release — see the Roadmap section in the README.

Docs

Full Changelog: https://github.com/acartag7/mcp-sso/commits/v0.1.0