OAuth-Protected

This MCP server combines an OAuth 2.0 authorization server with a protected MCP interface in a single .NET 9 application. All MCP endpoints under /mcp require a valid JWT access token obtained from the integrated OAuth server. The OAuth server exposes endpoints at the root (/.well-known/*, /token, /authorize, /register) and issues access tokens that your MCP clients and AI agents must present in the Authorization header when interacting with MCP resources. You can use ngrok to expose the local port 7071 to the internet, then point your clients to the publicly exposed domain.

To use the server, start it (dotnet run) after ensuring your environment variables and data stores are in place (RSA keys and client registrations are persisted). Retrieve a demo token via the token endpoint using the pre-configured demo client, then call MCP tools at /mcp with the Authorization: Bearer <token> header. The server supports Azure AI Foundry compatibility and Claude Code manual flows, so you can integrate with those tools by supplying a valid JWT and using the provided MCP tooling for data analysis on Enphase solar data.

Prerequisites:

• .NET 9 SDK or later installed on your machine
• Git to clone the repository
• Optional: ngrok for external access

Install and run:

1. Clone the repository: git clone https://github.com/your-repo/jzuras-oauth-protected-mcp-server.git cd jzuras-oauth-protected-mcp-server

2. Restore and build: dotnet restore dotnet build

3. Configure environment (optional, defaults shown):

   • Ensure RSA keys storage and oauth client persistence paths are writable
   • Set ASPNETCORE_URLS to http://localhost:7071 if not using the default

4. Run the application: dotnet run --project OAuth-Protected.csproj

5. (Optional) Start ngrok for external access: ngrok http 7071 --domain=your-static-domain.ngrok-free.app

6. Access endpoints:

   • OAuth server: http://localhost:7071/
   • Token: http://localhost:7071/token
   • MCP: http://localhost:7071/mcp/

Note: If you modify configuration or run in a container, ensure the root endpoints and /mcp are reachable and that JWT tokens issued by the OAuth server are used for MCP requests.

Tips and considerations:

• The server uses file-based persistence for RSA keys and registered OAuth clients. Ensure the deployment environment has appropriate write permissions to the persistence locations.
• The MCP endpoints are protected; always include a valid Bearer token in the Authorization header when calling https://<domain>/mcp/.
• If you’re using Claude Code or Azure AI Foundry agents, ensure their configurations point to the correct OAuth token endpoint and that tokens are rotated according to the configured token lifetime.
• For debugging, enable Development environment and check ASP.NET logs for authentication or endpoint mapping issues. Ensure ngrok public URL matches the resource/audience configured in the OAuth server.
• Token validation includes audience/issuer checks; Mismatches typically indicate an incorrect resource URL in the token request or a misconfigured ngrok domain.