Skip to content

Added example of an MCP App secured by OAuth. #557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: feat/mcp_agent_oauth
Choose a base branch
from
Open

Added example of an MCP App secured by OAuth. #557

wants to merge 2 commits into from

Conversation

roman-van-der-krogt
Copy link
Contributor

  • Example in examples/oauth/protected_by_oauth, including help script for client registration and README.
  • Some minor changes to make UX better (e.g. fetch introspection URL from .well-known/oauth-authorization-server)
  • Added test cases for token verifier

@roman-van-der-krogt
Added example of an MCP App secured by OAuth.
634a74a 
- Example in `examples/oauth/protected_by_oauth`, including help script for client registration and README.
- Some minor changes to make UX better (e.g. fetch introspection URL from `.well-known/oauth-authorization-server`)
- Added test cases for token verifier
@roman-van-der-krogt
fix stray comment
c86af55
@roman-van-der-krogt roman-van-der-krogt self-assigned this Oct 17, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 17, 2025

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/oauth-secured-example

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

graphite-app[bot]
graphite-app bot reviewed Oct 17, 2025
View reviewed changes
examples/oauth/protected_by_oauth/README.md


## Further reading
More details on oauth authorization and the MCP protocal can be found at [https://modelcontextprotocol.io/specification/draft/basic/authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a small typo in the README: "protocal" should be "protocol" in the sentence "More details on oauth authorization and the MCP protocol can be found at..."

Suggested change
More details on oauth authorization and the MCP protocal can be found at [https://modelcontextprotocol.io/specification/draft/basic/authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization).
More details on oauth authorization and the MCP protocol can be found at [https://modelcontextprotocol.io/specification/draft/basic/authorization](https://modelcontextprotocol.io/specification/draft/basic/authorization).

Spotted by Graphite Agent

Fix in Graphite

Is this helpful? React 👍 or 👎 to let us know.

saqadri
saqadri requested changes Oct 20, 2025
View reviewed changes
Copy link
Collaborator

@saqadri saqadri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any way we can set things up more clearly for users to be able to run this example? Right now it isn't clear all that needs to be updated in order for the example to run successfully.

Even if it includes a test oauth app (or our hosted cloud auth server), that would help a lot in getting the example runnable.

Another alternative is using env vars or mcp_agent.secrets.yaml.example to set the config properties instead of having to update the code samples

src/mcp_agent/server/token_verifier.py
Comment on lines +57 to +61
metadata_url = str(parsed_url.copy_with(path="/.well-known/oauth-authorization-server" \
+ parsed_url.path))

if metadata_url.endswith('/'):
metadata_url = metadata_url[:-1]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a url parsing lib that would be better? Specifically thinking about the endswith check

examples/oauth/protected_by_oauth/README.md
@@ -0,0 +1,79 @@
# OAuth protected resource example
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we include our auth server URL here as an example as well? Same in main.py

examples/oauth/protected_by_oauth/registration.py
import json

# Authorization server URL.
auth_server_url = "<your oauth authorization server url>"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we set this to our oauth server URL?

saqadri
saqadri reviewed Oct 20, 2025
View reviewed changes
src/mcp_agent/config.py
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run make schema to regenerate the schema as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saqadri saqadri saqadri requested changes

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

Assignees

@roman-van-der-krogt roman-van-der-krogt

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roman-van-der-krogt @saqadri