search
Ctrlk

Configuration Guide

Complete reference for oauth-mcp-proxy configuration options.

hashtag
Config Struct

type Config struct {
    // Required
    Provider string // "hmac", "okta", "google", "azure"

    // Provider-specific
    Issuer    string // OIDC issuer URL (Okta/Google/Azure) - validated for HTTPS
    JWTSecret []byte // Secret key (HMAC only)
    Audience string // Your API audience

    // Optional - OAuth Mode
    Mode string // "native" or "proxy" - auto-detected from ClientID presence

    // Optional - Proxy Mode (server-side OAuth flow)
    ClientID     string // OAuth client ID (triggers proxy mode)
    ClientSecret string // OAuth client secret
    ServerURL    string // Your server's public URL
    RedirectURIs string // Allowed redirect URIs (comma-separated allowlist)
    
    // Optional - Fixed Redirect Mode (for mcp-remote)
    FixedRedirectURI             string // Single fixed redirect URI for proxying callbacks
    AllowedClientRedirectDomains string // Comma-separated domain suffixes allowed for client redirects

    // Optional - Token Validation
    Scopes              []string // OAuth scopes
    SkipAudienceCheck  bool   // Skip audience validation (not recommended)

    // Optional - Logging
    Logger Logger // Custom logger implementation
}

hashtag
Key Configuration Notes

Issuer URL Validation (OIDC providers):

  • Must use HTTPS for non-localhost URLs (enforced for security)

  • Must be a valid URL format

  • Cannot be empty

  • Prevents MITM attacks on OAuth communication

⚠️ Breaking Changes (v1.1.0):

  1. Issuer URL Validation: OIDC providers now enforce HTTPS. Non-HTTPS issuer URLs will cause configuration validation to fail.

  2. State Signing Key: NewServer() now panics if state signing key cannot be generated (crypto/rand failure). This ensures security but means server startup will fail on systems with broken CSPRNG.

  3. Nonce Generation: generateSecureNonce() now panics instead of falling back to weak timestamp-based nonces.

See SECURITY.md for detailed migration guide.

Redirect URI Configuration (Proxy Mode):

  • Option 1: RedirectURIs - Comma-separated allowlist of exact URIs

  • Option 2: FixedRedirectURI - Single fixed URI for proxying callbacks

  • Additional: AllowedClientRedirectDomains - Domain suffixes allowed for client redirects (in addition to localhost)

Mode Detection:

  • Mode = "native" - Token validation only (ClientID not set)

  • Mode = "proxy" - Full OAuth flow (ClientID is set)

  • Auto-detected from ClientID presence if not specified

hashtag
Configuration Methods

hashtag
Direct Config

Create Config struct directly:

hashtag
ConfigBuilder (v0.2.0+)

Use fluent API with auto-generated ServerURL:

Benefits:

  • Auto-generates ServerURL from host/port/TLS

  • Validates config during Build()

  • Cleaner, more readable code

hashtag
FromEnv() (v0.2.0+)

Read configuration from environment variables:

Environment variables:

  • OAUTH_PROVIDER - Provider name

  • OAUTH_MODE - OAuth mode (optional)

  • OIDC_ISSUER - Issuer URL

  • OIDC_AUDIENCE - Audience

  • OIDC_CLIENT_ID - Client ID (proxy mode)

  • OIDC_CLIENT_SECRET - Client secret (proxy mode)

  • OAUTH_REDIRECT_URIS - Redirect URIs (proxy mode)

  • JWT_SECRET - HMAC secret

  • MCP_URL - Full server URL (or auto-generated from below)

  • MCP_HOST - Server host (default: localhost)

  • MCP_PORT - Server port (default: 8080)

  • HTTPS_CERT_FILE - TLS cert file (enables HTTPS)

  • HTTPS_KEY_FILE - TLS key file (enables HTTPS)

Benefits:

  • 12-factor app compliant

  • Easy Kubernetes/Docker deployment

  • No code changes for config updates

hashtag
Required Fields

hashtag
Provider

Type: string Required: Yes Values: "hmac", "okta", "google", "azure"

Specifies which OAuth provider to use for token validation.

See: Provider Guidesarrow-up-right for setup instructions

hashtag
Audience

Type: string Required: Yes Purpose: Validates the aud claim in JWT tokens

The audience must match exactly. This prevents token reuse across services.

Examples:

hashtag
Provider-Specific Fields

hashtag
Issuer

Type: string Required: For OIDC providers (okta, google, azure) Not used: HMAC provider

The OAuth provider's issuer URL. Must match token's iss claim exactly.

Examples:

Important:

  • No trailing slash

  • Must serve /.well-known/openid-configuration

  • HTTPS required

hashtag
JWTSecret

Type: []byte Required: For HMAC provider only Not used: OIDC providers

Shared secret for HMAC-SHA256 token validation.

Examples:

Security: Never hardcode! Use environment variables. See SECURITY.md.

hashtag
OAuth Mode

hashtag
Mode

Type: string Optional: Auto-detected if not specified Values: "native", "proxy"

Determines whether client or server handles OAuth flow.

Auto-detection:

Explicit:

hashtag
Native Mode

When: OAuth-capable clients (Claude Desktop, browser apps)

Client: Authenticates directly with provider → Gets token → Calls MCP server Server: Only validates tokens (no OAuth endpoints used)

Config:

OAuth endpoints: Return 404 with helpful message (not needed by client)

hashtag
Proxy Mode

When: Simple clients that can't do OAuth (CLI tools, legacy clients)

Client: Calls MCP server → Server proxies to provider → Returns token to client Server: Full OAuth authorization server functionality

Config:

OAuth endpoints: Fully functional (/oauth/authorize, /oauth/callback, /oauth/token)

Mode Comparison:

Native
Proxy

Client capability

Can do OAuth

Cannot do OAuth

OAuth flow

Client ↔ Provider

Client ↔ Server ↔ Provider

Config required

Minimal

Full (ClientID, ServerURL, etc.)

Endpoints active

Metadata only

All endpoints

Use case

Production apps

Simple clients

hashtag
Proxy Mode Fields

hashtag
ClientID

Type: string Required: For proxy mode Purpose: OAuth client identifier from provider

Obtained from your OAuth provider:

  • Okta: Application → General → Client ID

  • Google: Cloud Console → Credentials → OAuth 2.0 Client ID

  • Azure: App registrations → Application (client) ID

hashtag
ClientSecret

Type: string Required: For proxy mode (confidential clients) Purpose: OAuth client secret for token exchange

Security:

See: SECURITY.md for secret management best practices.

hashtag
ServerURL

Type: string Required: For proxy mode Purpose: Your MCP server's public URL

Used for:

  • OAuth metadata endpoints (issuer URL)

  • Redirect URI construction

  • Endpoint URL generation

Requirements:

  • HTTPS in production

  • No trailing slash

  • Publicly accessible (for OAuth provider callbacks)

hashtag
RedirectURIs

Type: string Required: For proxy mode Purpose: OAuth redirect URI validation

Single URI (Fixed Redirect):

Server uses this URI with provider. For security, client redirects must be localhost only.

Multiple URIs (Allowlist):

Comma-separated list. Client's redirect_uri must exactly match one of these.

Security:

  • HTTPS required for non-localhost

  • No wildcards allowed

  • Exact string match

  • See SECURITY.md for redirect URI security

hashtag
Optional Fields

hashtag
Logger

Type: Logger interface Default: Uses log.Printf with level prefixes Purpose: Custom logging integration

Implement Logger interface to integrate with your logging system:

Examples:

Zap:

Logrus:

Default behavior:

What gets logged: See examples/README.md

hashtag
Validation

Configuration is validated when calling WithOAuth() or NewServer():

hashtag
Validation Rules

All modes:

  • Provider must be one of: hmac, okta, google, azure

  • Audience is required

  • Provider-specific fields validated (JWTSecret for HMAC, Issuer for OIDC)

Proxy mode:

  • ClientID required

  • ServerURL required

  • RedirectURIs required

Native mode:

  • ClientID, ServerURL, RedirectURIs optional (ignored if provided)

hashtag
Complete Examples

hashtag
HMAC (Testing)

hashtag
Okta (Native - Recommended)

hashtag
Okta (Proxy - For Simple Clients)

hashtag
Google

hashtag
Azure AD

hashtag
Environment Variables Pattern

Recommended .env structure:

Load in code:

hashtag
See Also

PreviousCLIENT-SETUPNextSecurity Best Practices

Last updated

Was this helpful?