mcp-oauth-gateway

The MCP OAuth Gateway acts as an OAuth 2.1 Authorization Server that sits in front of MCP servers to provide authentication without modifying the MCP services themselves. It uses GitHub as the identity provider and supports dynamic client registration in accordance with RFC 7591/7592. When a client requests MCP resources, the gateway ensures the user is authenticated, issues tokens, and forwards the authenticated MCP requests to your MCP services with the user identity attached in headers. This enables secure, zero-modification authentication for your MCP ecosystem while centralizing authorization logic.

Prerequisites:

• Docker installed on the host
• Access rights to pull the atrawog/mcp-oauth-gateway image or build from a provided image

Installation steps:

1. Pull the gateway image (or use the docker run command directly):

docker pull atrawog/mcp-oauth-gateway:latest

2. Create a configuration file or environment variables to configure OAuth with GitHub and MCP backend:

# Example environment setup (adjust values to your environment)
export GITHUB_CLIENT_ID=your-github-client-id
export GITHUB_CLIENT_SECRET=your-github-client-secret
export OAUTH_SCOPES="read:user user:email"
export OAUTH_PKCE_REQUIRED=true
export OAUTH_TOKEN_LIFETIME_MINUTES=60
export OAUTH_REDIRECT_URI=https://auth.yourdomain/.oauth/callback

3. Run the gateway container with your configuration:

docker run -d --name mcp-oauth-gateway \
  -e GITHUB_CLIENT_ID="$GITHUB_CLIENT_ID" \
  -e GITHUB_CLIENT_SECRET="$GITHUB_CLIENT_SECRET" \
  -e OAUTH_SCOPES="$OAUTH_SCOPES" \
  -e OAUTH_PKCE_REQUIRED="$OAUTH_PKCE_REQUIRED" \
  -e OAUTH_TOKEN_LIFETIME_MINUTES="$OAUTH_TOKEN_LIFETIME_MINUTES" \
  -e OAUTH_REDIRECT_URI="$OAUTH_REDIRECT_URI" \
  -p 443:443 \
  atrawog/mcp-oauth-gateway

4. Verify the gateway is running and accessible at your domain, and test the OAuth flow via the /authorize and /token endpoints as described in the documentation.

Tips and notes:

• This gateway is a reference/test platform for MCP and may contain security gaps; do not expose to production without thorough review.
• Ensure HTTPS/TLS is properly configured; PKCE is recommended for public clients.
• Use the /register endpoints to manage OAuth clients dynamically if supported by your deployment.
• The gateway expects MCP services to be reachable via the MCP_API_BASE_URL and will forward authenticated requests with user identity in headers.
• If you plan to run multiple MCP services behind the gateway, configure dynamic routing and service discovery to enable/disable MCP services as needed.
• Common issues: misconfigured GitHub OAuth app (redirect URI mismatch), improper TLS certificates, network accessibility between the gateway and MCP services, and token revocation settings in Redis.