4.6 KiB
4.6 KiB
OAuth Provider Setup Guides
Quick setup guides for common OAuth providers with Cloudflare MCP servers.
GitHub
1. Create OAuth App
- Go to https://github.com/settings/developers
- Click "New OAuth App"
- Fill in:
- Application name: My MCP Server
- Homepage URL: https://my-mcp.workers.dev
- Authorization callback URL: https://my-mcp.workers.dev/oauth/callback
- Click "Register application"
- Copy Client ID and Client Secret
2. Configure Worker
import { GitHubHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new GitHubHandler({
clientId: (env) => env.GITHUB_CLIENT_ID,
clientSecret: (env) => env.GITHUB_CLIENT_SECRET,
scopes: ["repo", "user:email"],
})
3. Add Secrets
npx wrangler secret put GITHUB_CLIENT_ID
npx wrangler secret put GITHUB_CLIENT_SECRET
Common Scopes
repo- Full repo accessuser:email- Read user emailread:org- Read org membershipwrite:org- Manage orgadmin:repo_hook- Manage webhooks
1. Create OAuth Client
- Go to https://console.cloud.google.com/apis/credentials
- Click "Create Credentials" → "OAuth client ID"
- Application type: "Web application"
- Authorized redirect URIs: https://my-mcp.workers.dev/oauth/callback
- Click "Create"
- Copy Client ID and Client Secret
2. Configure Worker
import { GoogleHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new GoogleHandler({
clientId: (env) => env.GOOGLE_CLIENT_ID,
clientSecret: (env) => env.GOOGLE_CLIENT_SECRET,
scopes: ["openid", "email", "profile"],
})
Common Scopes
openid- Required for OpenID Connectemail- User emailprofile- Basic profilehttps://www.googleapis.com/auth/drive.readonly- Read Drive fileshttps://www.googleapis.com/auth/gmail.readonly- Read Gmail
Azure AD
1. Register Application
- Go to https://portal.azure.com → Azure Active Directory
- App registrations → New registration
- Name: My MCP Server
- Redirect URI: https://my-mcp.workers.dev/oauth/callback
- Click "Register"
- Copy Application (client) ID
- Certificates & secrets → New client secret
- Copy secret value
2. Configure Worker
import { AzureADHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new AzureADHandler({
clientId: (env) => env.AZURE_CLIENT_ID,
clientSecret: (env) => env.AZURE_CLIENT_SECRET,
tenant: "common", // or specific tenant ID
scopes: ["openid", "email", "User.Read"],
})
Common Scopes
openid- Requiredemail- User emailUser.Read- Read user profileFiles.Read- Read OneDrive filesMail.Read- Read email
Generic OAuth Provider
For any OAuth 2.1 provider
import { GenericOAuthHandler } from "@cloudflare/workers-oauth-provider";
defaultHandler: new GenericOAuthHandler({
authorizeUrl: "https://provider.com/oauth/authorize",
tokenUrl: "https://provider.com/oauth/token",
userInfoUrl: "https://provider.com/oauth/userinfo",
clientId: (env) => env.OAUTH_CLIENT_ID,
clientSecret: (env) => env.OAUTH_CLIENT_SECRET,
scopes: ["openid", "email"],
context: async (accessToken) => {
const response = await fetch("https://provider.com/oauth/userinfo", {
headers: { Authorization: `Bearer ${accessToken}` }
});
const user = await response.json();
return {
userId: user.id,
email: user.email,
accessToken
};
}
})
Dynamic Client Registration
Skip manual OAuth app creation - let clients register automatically:
export default new OAuthProvider({
allowDynamicClientRegistration: true,
// No clientId or clientSecret needed!
})
How it works:
- Client sends registration request
- Server generates client credentials
- Stored in KV namespace
- Client uses credentials for OAuth flow
Pros: ✅ No manual setup ✅ Works immediately ✅ No provider configuration
Cons: ❌ Less control ❌ Can't track clients externally
Security Best Practices
Scopes
✅ Request minimal scopes needed
❌ Don't request admin or delete unless necessary
Secrets
✅ Use npx wrangler secret put
❌ Never commit secrets to git
❌ Never put secrets in wrangler.jsonc
Redirect URIs
✅ Use HTTPS in production ✅ Specify exact URI (not wildcard) ❌ Don't use localhost in production
Consent Screen
✅ Always enable in production: allowConsentScreen: true
❌ Never disable consent screen for public apps
Need help? See authentication.md for full OAuth patterns.