Skip to content

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 07 Jul 12:16
Immutable release. Only release title and notes can be modified.
42bd8ad

v0.2.0 is the largest release since launch: eight feature sessions plus a security-hardening review cycle, every PR independently reviewed before merge. Published from GitHub Actions via OIDC Trusted Publishing with Sigstore provenance — verify with npm audit signatures.

New

  • client_credentials grant (the official MCP extension io.modelcontextprotocol/oauth-client-credentials) for headless / machine-to-machine callers: machine clients are provisioned out-of-band (provisionMachineClient — no HTTP provisioning surface by design), secrets stored as SHA-256 only and verified with uniform work, client_secret_basic + client_secret_post auth, no refresh tokens. The reserved mcc_ subject namespace is enforced across the whole token lifecycle — grant creation, code exchange, refresh, and verification (machine tokens mint a gty: "client_credentials" marker; the verifier requires sub == client_id and the marker). See the Machine-to-machine guide.
  • Upstream redirect orchestrator (createUpstreamRedirectFlow) — the full browser leg for redirect-based OIDC IdPs (Entra today): signed single-use flow cookie (__Host- profile), strict callback validation with fixed error mappings (IdP error text is never echoed), mandatory upstream PKCE, same-browser consent delivery. You no longer hand-write the riskiest OAuth code per deployment.
  • Entra group→scope authorization — map Entra group membership (GUID-keyed, display names rejected) to a per-user scope ceiling; group overage fails closed. The two-gate authorization model is documented in docs/authorization.md.
  • allowedScopes ceiling (IdP-agnostic) — identity-derived scope narrowing, intersected at consent preparation AND approval, so accumulated prior grants can never resurrect a revoked scope.
  • /store/mysql — pooled mysql2 store (row-locked rotation, fail-closed boot asserts for strict mode/collation/engine) and /rate-limit/redis (fixed-window, fail-open so a limiter outage never locks out auth). Both optional peer deps.
  • Audit reference sinksJsonlFileAudit (0600, append-only, log-injection-safe), https-only no-redirect WebhookAudit, combineAudit fan-out; nine new event names including failed-login visibility (identity.verify). Deployment guide: docs/audit-deployment.md.
  • Zero-setup quickstartloadOrCreateQuickstartSecrets auto-generates and persists signing material (0700/0600, fail-closed, never a silent ephemeral fallback) and console pairing (/identity/console-pairing) gives you real OAuth with no IdP: paste a one-time code from the server console. The old DEV_STUB_SUBJECT bypass is gone.
  • examples/api-key-gateway — a worked example of the most common production shape: SSO in front of a backend that only understands a static API key, with the key injected server-side and never visible to any MCP client. Rules documented in docs/gateway-deployment.md.

Hardened

  • Consent approval is fail-closed at both the adapter and the core: only an explicit approved=true approves — an absent or malformed field denies (#21, #23)
  • The hono adapter no longer reads X-Forwarded-For: a deployer-supplied clientIp extractor keys the rate limiter, so an attacker-chosen header can't select its own bucket (#21)
  • MemoryStore now matches sqlite/mysql on token-hash collisions (no silent overwrite), and the collision tests moved into the shared conformance suite all stores must pass (#21)
  • createBridgeConfig rejects unknown keys, so a secret parked on the config input can never reach the frozen public config (#13)
  • The example /mcp validates Origin pre-parse and method-agnostic (spec-MUST DNS-rebinding defense) (#15)
  • The identityHeader-mode nonce residual is now documented at every surface a deployer reads: in header mode the fronting proxy owns id_token replay protection (#22)

Live verification status (honest)

DCR/OAuth mechanics are verified against curl, the official MCP SDK client, Claude Code, and claude.ai. The production identity legs (live Entra tenant, real-browser redirect flow, the gateway example against a real IdP) are tracked as open owner-run checklists in docs/live-verification.md — rows flip only when actually run.

Moved to v0.3

Device authorization flow (RFC 8628), CIMD, generic-OIDC/GitHub/Google identity presets, npx mcp-sso init.

Verify this release

npm i mcp-sso@0.2.0
npm audit signatures   # Sigstore provenance + registry signatures

Full changelog: v0.1.1...v0.2.0