Configuration Guide

Complete reference for oauth-mcp-proxy configuration options.

Config Struct

type Config struct {
    // Required
    Provider string // "hmac", "okta", "google", "azure"
    Audience string // Your API audience

    // Provider-specific
    Issuer    string // OIDC issuer URL (Okta/Google/Azure)
    JWTSecret []byte // Secret key (HMAC only)

    // Optional - OAuth Mode
    Mode string // "native" or "proxy" - auto-detected

    // Optional - Proxy Mode
    ClientID     string // OAuth client ID
    ClientSecret string // OAuth client secret
    ServerURL    string // Your server's public URL
    RedirectURIs string // Allowed redirect URIs

    // Optional - Logging
    Logger Logger // Custom logger implementation
}

Configuration Methods

Direct Config

Create Config struct directly:

ConfigBuilder (v0.2.0+)

Use fluent API with auto-generated ServerURL:

Benefits:

• Auto-generates ServerURL from host/port/TLS

• Validates config during Build()

• Cleaner, more readable code

FromEnv() (v0.2.0+)

Read configuration from environment variables:

Environment variables:

• OAUTH_PROVIDER - Provider name

• OAUTH_MODE - OAuth mode (optional)

• OIDC_ISSUER - Issuer URL

• OIDC_AUDIENCE - Audience

• OIDC_CLIENT_ID - Client ID (proxy mode)

• OIDC_CLIENT_SECRET - Client secret (proxy mode)

• OAUTH_REDIRECT_URIS - Redirect URIs (proxy mode)

• JWT_SECRET - HMAC secret

• MCP_URL - Full server URL (or auto-generated from below)

• MCP_HOST - Server host (default: localhost)

• MCP_PORT - Server port (default: 8080)

• HTTPS_CERT_FILE - TLS cert file (enables HTTPS)

• HTTPS_KEY_FILE - TLS key file (enables HTTPS)

Benefits:

• 12-factor app compliant

• Easy Kubernetes/Docker deployment

• No code changes for config updates

Required Fields

Provider

Type: string Required: Yes Values: "hmac", "okta", "google", "azure"

Specifies which OAuth provider to use for token validation.

See: Provider Guides for setup instructions

Audience

Type: string Required: Yes Purpose: Validates the aud claim in JWT tokens

The audience must match exactly. This prevents token reuse across services.

Examples:

Provider-Specific Fields

Issuer

Type: string Required: For OIDC providers (okta, google, azure) Not used: HMAC provider

The OAuth provider's issuer URL. Must match token's iss claim exactly.

Examples:

Important:

• No trailing slash

• Must serve /.well-known/openid-configuration

• HTTPS required

JWTSecret

Type: []byte Required: For HMAC provider only Not used: OIDC providers

Shared secret for HMAC-SHA256 token validation.

Examples:

Security: Never hardcode! Use environment variables. See SECURITY.md.

OAuth Mode

Mode

Type: string Optional: Auto-detected if not specified Values: "native", "proxy"

Determines whether client or server handles OAuth flow.

Auto-detection:

Explicit:

Native Mode

When: OAuth-capable clients (Claude Desktop, browser apps)

Client: Authenticates directly with provider → Gets token → Calls MCP server Server: Only validates tokens (no OAuth endpoints used)

Config:

OAuth endpoints: Return 404 with helpful message (not needed by client)

Proxy Mode

When: Simple clients that can't do OAuth (CLI tools, legacy clients)

Client: Calls MCP server → Server proxies to provider → Returns token to client Server: Full OAuth authorization server functionality

Config:

OAuth endpoints: Fully functional (/oauth/authorize, /oauth/callback, /oauth/token)

Mode Comparison:

Proxy Mode Fields

ClientID

Type: string Required: For proxy mode Purpose: OAuth client identifier from provider

Obtained from your OAuth provider:

• Okta: Application → General → Client ID

• Google: Cloud Console → Credentials → OAuth 2.0 Client ID

• Azure: App registrations → Application (client) ID

ClientSecret

Type: string Required: For proxy mode (confidential clients) Purpose: OAuth client secret for token exchange

Security:

See: SECURITY.md for secret management best practices.

ServerURL

Type: string Required: For proxy mode Purpose: Your MCP server's public URL

Used for:

• OAuth metadata endpoints (issuer URL)

• Redirect URI construction

• Endpoint URL generation

Requirements:

• HTTPS in production

• No trailing slash

• Publicly accessible (for OAuth provider callbacks)

RedirectURIs

Type: string Required: For proxy mode Purpose: OAuth redirect URI validation

Single URI (Fixed Redirect):

Server uses this URI with provider. For security, client redirects must be localhost only.

Multiple URIs (Allowlist):

Comma-separated list. Client's redirect_uri must exactly match one of these.

Security:

• HTTPS required for non-localhost

• No wildcards allowed

• Exact string match

• See SECURITY.md for redirect URI security

Optional Fields

Logger

Type: Logger interface Default: Uses log.Printf with level prefixes Purpose: Custom logging integration

Implement Logger interface to integrate with your logging system:

Examples:

Zap:

Logrus:

Default behavior:

What gets logged: See examples/README.md

Validation

Configuration is validated when calling WithOAuth() or NewServer():

Validation Rules

All modes:

• Provider must be one of: hmac, okta, google, azure

• Audience is required

• Provider-specific fields validated (JWTSecret for HMAC, Issuer for OIDC)

Proxy mode:

• ClientID required

• ServerURL required

• RedirectURIs required

Native mode:

• ClientID, ServerURL, RedirectURIs optional (ignored if provided)

Complete Examples

HMAC (Testing)

Okta (Native - Recommended)

Okta (Proxy - For Simple Clients)

Google

Azure AD

Environment Variables Pattern

Recommended .env structure:

Load in code:

See Also

• Provider Guides - Provider-specific setup

• SECURITY.md - Security best practices

• TROUBLESHOOTING.md - Common configuration issues