mcp-data-platform-v0.3.0
Release Notes: v0.3.0
Claude Desktop OAuth Authentication
This release enables Claude Desktop to authenticate to remote MCP servers via OAuth 2.1 with upstream identity provider support (Keycloak, Auth0, Okta, etc.).
Highlights
- Claude Desktop + Keycloak: Users can now connect Claude Desktop to a remote mcp-data-platform server and authenticate via their organization's identity provider
- Pre-registered OAuth Clients: Configure known clients (like Claude Desktop) with secrets in YAML config
- Upstream IdP Integration: Bridge authentication from any OIDC-compliant identity provider
- In-Memory Storage: Deploy without PostgreSQL for development and single-instance production
New Features
OAuth 2.1 Server Integration
The built-in OAuth 2.1 server is now fully wired up and accessible via HTTP endpoints:
| Endpoint | Description |
|---|---|
/.well-known/oauth-authorization-server |
Server metadata discovery |
/oauth/authorize |
Authorization endpoint (redirects to upstream IdP) |
/oauth/callback |
Callback handler for upstream IdP |
/oauth/token |
Token exchange endpoint |
/oauth/register |
Dynamic Client Registration (optional) |
Configuration
oauth:
enabled: true
issuer: "https://mcp.example.com"
# Pre-registered clients
clients:
- id: "claude-desktop"
secret: "${CLAUDE_CLIENT_SECRET}"
redirect_uris:
- "http://localhost"
- "http://127.0.0.1"
# Upstream identity provider
upstream:
issuer: "https://keycloak.example.com/realms/your-realm"
client_id: "mcp-data-platform"
client_secret: "${KEYCLOAK_CLIENT_SECRET}"
redirect_uri: "https://mcp.example.com/oauth/callback"OAuth Flow
see OAuth Flow
Security
| Feature | Description |
|---|---|
| PKCE Required | All clients must use PKCE with S256 |
| Bcrypt Secrets | Client secrets stored as bcrypt hashes |
| State Validation | CSRF protection via state parameter |
| Token Expiration | Access tokens expire after 1 hour |
| Refresh Token Rotation | New refresh token issued on each use |
Getting Started
1. Configure Keycloak
Create a client in Keycloak:
- Client ID:
mcp-data-platform - Client authentication: ON
- Valid redirect URIs:
https://your-mcp-server/oauth/callback
2. Configure MCP Server
server:
transport: sse
address: ":8080"
oauth:
enabled: true
issuer: "https://your-mcp-server"
clients:
- id: "claude-desktop"
secret: "your-secret"
redirect_uris:
- "http://localhost"
- "http://127.0.0.1"
upstream:
issuer: "https://keycloak.example.com/realms/your-realm"
client_id: "mcp-data-platform"
client_secret: "${KEYCLOAK_CLIENT_SECRET}"
redirect_uri: "https://your-mcp-server/oauth/callback"3. Connect Claude Desktop
In Claude Desktop, add the MCP server:
- URL:
https://your-mcp-server - Client ID:
claude-desktop - Client Secret: (the secret you configured)
When connecting, Claude Desktop will open your browser for Keycloak login.
Documentation
- OAuth 2.1 Server - Complete setup guide
- Authentication Overview - Security model and flows
Breaking Changes
None. Existing configurations without oauth.enabled: true are unaffected.
Upgrade Notes
No action required for existing deployments. To enable OAuth:
- Add
oauthconfiguration block to your YAML config - Set
oauth.enabled: true - Configure clients and/or upstream IdP
- Restart the server
Contributors
Thank you to everyone who contributed to this release.
Full Changelog: v0.2.0...v0.3.0
Changelog
Others
Installation
Homebrew (macOS)
brew install txn2/tap/mcp-data-platformClaude Code CLI
claude mcp add mcp-data-platform -- mcp-data-platformDocker
docker pull ghcr.io/txn2/mcp-data-platform:v0.3.0Verification
All release artifacts are signed with Cosign. Verify with:
cosign verify-blob --bundle mcp-data-platform_0.3.0_linux_amd64.tar.gz.sigstore.json \
mcp-data-platform_0.3.0_linux_amd64.tar.gzContributors
cjimti