zhongwei/gh-jezweb-claude-skills-skills-cloudflare-mcp-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:24:23 +08:00
commit 5f996ee003
23 changed files with 6697 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
references/oauth-providers.md Normal file
View File

@@ -0,0 +1,190 @@
# OAuth Provider Setup Guides
Quick setup guides for common OAuth providers with Cloudflare MCP servers.
---
## GitHub
### 1. Create OAuth App
1. Go to https://github.com/settings/developers
2. Click "New OAuth App"
3. Fill in:
- **Application name**: My MCP Server
- **Homepage URL**: https://my-mcp.workers.dev
- **Authorization callback URL**: https://my-mcp.workers.dev/oauth/callback
4. Click "Register application"
5. Copy Client ID and Client Secret
### 2. Configure Worker
```typescript
import { GitHubHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new GitHubHandler({
clientId: (env) => env.GITHUB_CLIENT_ID,
clientSecret: (env) => env.GITHUB_CLIENT_SECRET,
scopes: ["repo", "user:email"],
})
```
### 3. Add Secrets
```bash
npx wrangler secret put GITHUB_CLIENT_ID
npx wrangler secret put GITHUB_CLIENT_SECRET
```
### Common Scopes
- `repo` - Full repo access
- `user:email` - Read user email
- `read:org` - Read org membership
- `write:org` - Manage org
- `admin:repo_hook` - Manage webhooks
---
## Google
### 1. Create OAuth Client
1. Go to https://console.cloud.google.com/apis/credentials
2. Click "Create Credentials" → "OAuth client ID"
3. Application type: "Web application"
4. Authorized redirect URIs: https://my-mcp.workers.dev/oauth/callback
5. Click "Create"
6. Copy Client ID and Client Secret
### 2. Configure Worker
```typescript
import { GoogleHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new GoogleHandler({
clientId: (env) => env.GOOGLE_CLIENT_ID,
clientSecret: (env) => env.GOOGLE_CLIENT_SECRET,
scopes: ["openid", "email", "profile"],
})
```
### Common Scopes
- `openid` - Required for OpenID Connect
- `email` - User email
- `profile` - Basic profile
- `https://www.googleapis.com/auth/drive.readonly` - Read Drive files
- `https://www.googleapis.com/auth/gmail.readonly` - Read Gmail
---
## Azure AD
### 1. Register Application
1. Go to https://portal.azure.com → Azure Active Directory
2. App registrations → New registration
3. Name: My MCP Server
4. Redirect URI: https://my-mcp.workers.dev/oauth/callback
5. Click "Register"
6. Copy Application (client) ID
7. Certificates & secrets → New client secret
8. Copy secret value
### 2. Configure Worker
```typescript
import { AzureADHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new AzureADHandler({
clientId: (env) => env.AZURE_CLIENT_ID,
clientSecret: (env) => env.AZURE_CLIENT_SECRET,
tenant: "common", // or specific tenant ID
scopes: ["openid", "email", "User.Read"],
})
```
### Common Scopes
- `openid` - Required
- `email` - User email
- `User.Read` - Read user profile
- `Files.Read` - Read OneDrive files
- `Mail.Read` - Read email
---
## Generic OAuth Provider
### For any OAuth 2.1 provider
```typescript
import { GenericOAuthHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new GenericOAuthHandler({
authorizeUrl: "https://provider.com/oauth/authorize",
tokenUrl: "https://provider.com/oauth/token",
userInfoUrl: "https://provider.com/oauth/userinfo",
clientId: (env) => env.OAUTH_CLIENT_ID,
clientSecret: (env) => env.OAUTH_CLIENT_SECRET,
scopes: ["openid", "email"],
context: async (accessToken) => {
const response = await fetch("https://provider.com/oauth/userinfo", {
headers: { Authorization: `Bearer ${accessToken}` }
});
const user = await response.json();
return {
userId: user.id,
email: user.email,
accessToken
};
}
})
```
---
## Dynamic Client Registration
Skip manual OAuth app creation - let clients register automatically:
```typescript
export default new OAuthProvider({
allowDynamicClientRegistration: true,
// No clientId or clientSecret needed!
})
```
**How it works**:
1. Client sends registration request
2. Server generates client credentials
3. Stored in KV namespace
4. Client uses credentials for OAuth flow
**Pros**:
✅ No manual setup
✅ Works immediately
✅ No provider configuration
**Cons**:
❌ Less control
❌ Can't track clients externally
---
## Security Best Practices
### Scopes
✅ Request minimal scopes needed
❌ Don't request `admin` or `delete` unless necessary
### Secrets
✅ Use `npx wrangler secret put`
❌ Never commit secrets to git
❌ Never put secrets in wrangler.jsonc
### Redirect URIs
✅ Use HTTPS in production
✅ Specify exact URI (not wildcard)
❌ Don't use localhost in production
### Consent Screen
✅ Always enable in production: `allowConsentScreen: true`
❌ Never disable consent screen for public apps
---
**Need help?** See `authentication.md` for full OAuth patterns.