mcp s-oauth

This MCP server adds OAuth 2.0 authentication to an existing Salesforce MCP workflow. It replaces hard-coded username/password credentials with a secure OAuth flow that exchanges an authorization code for short-lived access tokens and long-lived refresh tokens. On startup, the server checks for a valid access token; if missing or expired, it will attempt to refresh using a stored refresh token or initiate a full OAuth flow by launching a local web server and opening a browser to the service provider's login page. The updated client stores tokens locally to avoid re-authenticating on every restart, and it supports token refresh to keep access active without user intervention. When you call tools through the MCP server, it will re-authenticate or refresh tokens as needed before each operation, ensuring requests are signed with a valid access token.

Prerequisites:

• Python 3.8+ installed
• Internet access to install dependencies
• Access to configure an OAuth application with your service provider (Client ID and Client Secret)

1. Clone the repository

• git clone https://github.com/xeris-ai/mcp-servers-oauth.git
• cd mcp-servers-oauth

2. Set up a Python virtual environment (recommended)

• python3 -m venv venv
• source venv/bin/activate # on Unix or macOS
• .\venv\Scripts\activate # on Windows

3. Install dependencies

• pip install Flask requests python-dotenv

4. Configure environment variables (example)

• Create a .env file or export variables in your environment: SF_CLIENT_ID=your-client-id SF_CLIENT_SECRET=your-client-secret SALESFORCE_CONNECTION_TYPE=oauth TOKEN_STORE_PATH=token_store.json

5. Run the MCP server

• python server.py

6. Optional: customize port or redirect URI

• Modify the oauth_flow.py and server.py to change the local callback port (default 8080) or token storage location as needed.

Tips and common issues:

• Ensure the OAuth Redirect URI matches what you configured in the provider console (e.g., http://localhost:8080/callback).
• The server uses a local token_store.json to persist access/refresh tokens; back up this file securely.
• If you see 403/401 errors, verify that SF_CLIENT_ID and SF_CLIENT_SECRET are correct and that the refresh token is still valid.
• The flow supports PKCE for enhanced security; keep your client secret confidential and avoid exposing it in logs.
• If the environment variable SALESFORCE_CONNECTION_TYPE is set to a non-oauth option, the server may fall back to legacy authentication (if implemented). Adjust as needed.
• The server will refresh tokens automatically before token expiry during tool calls; occasional re-authentication may still occur if the refresh token expires.