Feature Request: Support External OAuth / Custom Authorization Server JWT Validation #2224
Description
We've built an MCP Hub platform (pAIchart) that orchestrates multiple MCP services with per-user authentication.
We've successfully implemented per-user JWT passthrough to Snowflake using their External OAuth feature — where
our Hub's JWKS-signed JWT is validated directly by Snowflake, mapping the user's email claim to a Snowflake
account. This means each user's queries run as themselves, not a shared service account.
We'd love to see GitHub's MCP server support a similar pattern.
The Pattern
User authenticates to MCP Hub
→ Hub mints RS256 JWT (with email, role, sub claims)
→ Hub forwards JWT to external MCP service
→ External service validates JWT against Hub's JWKS endpoint
→ Service maps email claim to a local user account
→ Operations execute as that user with their permissions
This is standard OAuth 2.0 External Authorization Server support (similar to what Snowflake, Databricks, and
Azure SQL offer).
Why This Matters for GitHub's MCP Server
Currently, GitHub's MCP server authenticates via PAT or GitHub's own OAuth. In a multi-user MCP Hub scenario,
this means either:
- Service account (PAT): All operations run as one user — no per-user audit trail
- Store GitHub OAuth tokens: Security risk — the Hub must retain provider tokens
With External OAuth support, the Hub's JWT (validated via JWKS) would map to GitHub users, enabling:
- Per-user operations: Each user's PRs, issues, commits attributed to them
- No stored credentials: The Hub's JWT is ephemeral (15-min TTL) and JWKS-validated
- Audit trail: GitHub's own audit log shows the actual user, not a service account
- Zero-trust: GitHub validates the JWT independently via the Hub's public JWKS endpoint
Our Implementation (Reference)
We've production-validated this pattern with Snowflake:
- JWKS endpoint: Public RSA keys for JWT validation
- JWT claims:
sub,email,role,iss(issuer),aud(audience),exp,iat - Algorithm: RS256 (asymmetric — no shared secrets)
- Scope:
session:role-anyfor role selection - User mapping: JWT
email→ Snowflakelogin_name(configurable claim)
The Snowflake configuration is straightforward:
CREATE SECURITY INTEGRATION my_external_oauth
TYPE = external_oauth
EXTERNAL_OAUTH_TYPE = custom
EXTERNAL_OAUTH_ISSUER = 'https://my-hub.example.com'
EXTERNAL_OAUTH_JWS_KEYS_URL = 'https://my-hub.example.com/.well-known/jwks.json'
EXTERNAL_OAUTH_TOKEN_USER_MAPPING_CLAIM = 'email'
EXTERNAL_OAUTH_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'login_name'
EXTERNAL_OAUTH_ANY_ROLE_MODE = 'ENABLE';
What We're Asking
We understand this is a significant feature. We're not asking for immediate implementation — rather, we'd like
GitHub to consider External OAuth as a broader capability for the MCP server ecosystem:
1. Accept JWTs from configurable authorization servers (via JWKS URL)
2. Map a configurable JWT claim (e.g., email) to a GitHub user
3. Use the mapped user's permissions for all operations
This would make GitHub's MCP server a first-class citizen in multi-user MCP Hub architectures, just as
Snowflake's External OAuth support has done for data warehouse integrations.
Context
- MCP specification: https://modelcontextprotocol.io
- External OAuth pattern (Snowflake): https://docs.snowflake.com/en/user-guide/oauth-ext-custom
- Our platform: https://paichart.app
Happy to share more details about our implementation or collaborate on the design.