v0.2.0
Immutable
release. Only release title and notes can be modified.
v0.2.0 is the largest release since launch: eight feature sessions plus a security-hardening review cycle, every PR independently reviewed before merge. Published from GitHub Actions via OIDC Trusted Publishing with Sigstore provenance — verify with npm audit signatures.
New
client_credentialsgrant (the official MCP extensionio.modelcontextprotocol/oauth-client-credentials) for headless / machine-to-machine callers: machine clients are provisioned out-of-band (provisionMachineClient— no HTTP provisioning surface by design), secrets stored as SHA-256 only and verified with uniform work,client_secret_basic+client_secret_postauth, no refresh tokens. The reservedmcc_subject namespace is enforced across the whole token lifecycle — grant creation, code exchange, refresh, and verification (machine tokens mint agty: "client_credentials"marker; the verifier requiressub == client_idand the marker). See the Machine-to-machine guide.- Upstream redirect orchestrator (
createUpstreamRedirectFlow) — the full browser leg for redirect-based OIDC IdPs (Entra today): signed single-use flow cookie (__Host-profile), strict callback validation with fixed error mappings (IdP error text is never echoed), mandatory upstream PKCE, same-browser consent delivery. You no longer hand-write the riskiest OAuth code per deployment. - Entra group→scope authorization — map Entra group membership (GUID-keyed, display names rejected) to a per-user scope ceiling; group overage fails closed. The two-gate authorization model is documented in
docs/authorization.md. allowedScopesceiling (IdP-agnostic) — identity-derived scope narrowing, intersected at consent preparation AND approval, so accumulated prior grants can never resurrect a revoked scope./store/mysql— pooledmysql2store (row-locked rotation, fail-closed boot asserts for strict mode/collation/engine) and/rate-limit/redis(fixed-window, fail-open so a limiter outage never locks out auth). Both optional peer deps.- Audit reference sinks —
JsonlFileAudit(0600, append-only, log-injection-safe), https-only no-redirectWebhookAudit,combineAuditfan-out; nine new event names including failed-login visibility (identity.verify). Deployment guide:docs/audit-deployment.md. - Zero-setup quickstart —
loadOrCreateQuickstartSecretsauto-generates and persists signing material (0700/0600, fail-closed, never a silent ephemeral fallback) and console pairing (/identity/console-pairing) gives you real OAuth with no IdP: paste a one-time code from the server console. The oldDEV_STUB_SUBJECTbypass is gone. examples/api-key-gateway— a worked example of the most common production shape: SSO in front of a backend that only understands a static API key, with the key injected server-side and never visible to any MCP client. Rules documented indocs/gateway-deployment.md.
Hardened
- Consent approval is fail-closed at both the adapter and the core: only an explicit
approved=trueapproves — an absent or malformed field denies (#21, #23) - The hono adapter no longer reads
X-Forwarded-For: a deployer-suppliedclientIpextractor keys the rate limiter, so an attacker-chosen header can't select its own bucket (#21) MemoryStorenow matches sqlite/mysql on token-hash collisions (no silent overwrite), and the collision tests moved into the shared conformance suite all stores must pass (#21)createBridgeConfigrejects unknown keys, so a secret parked on the config input can never reach the frozen public config (#13)- The example
/mcpvalidatesOriginpre-parse and method-agnostic (spec-MUST DNS-rebinding defense) (#15) - The
identityHeader-mode nonce residual is now documented at every surface a deployer reads: in header mode the fronting proxy owns id_token replay protection (#22)
Live verification status (honest)
DCR/OAuth mechanics are verified against curl, the official MCP SDK client, Claude Code, and claude.ai. The production identity legs (live Entra tenant, real-browser redirect flow, the gateway example against a real IdP) are tracked as open owner-run checklists in docs/live-verification.md — rows flip only when actually run.
Moved to v0.3
Device authorization flow (RFC 8628), CIMD, generic-OIDC/GitHub/Google identity presets, npx mcp-sso init.
Verify this release
npm i mcp-sso@0.2.0
npm audit signatures # Sigstore provenance + registry signaturesFull changelog: v0.1.1...v0.2.0