191 lines
4.6 KiB
Markdown
191 lines
4.6 KiB
Markdown
# OAuth Provider Setup Guides
|
|
|
|
Quick setup guides for common OAuth providers with Cloudflare MCP servers.
|
|
|
|
---
|
|
|
|
## GitHub
|
|
|
|
### 1. Create OAuth App
|
|
1. Go to https://github.com/settings/developers
|
|
2. Click "New OAuth App"
|
|
3. Fill in:
|
|
- **Application name**: My MCP Server
|
|
- **Homepage URL**: https://my-mcp.workers.dev
|
|
- **Authorization callback URL**: https://my-mcp.workers.dev/oauth/callback
|
|
4. Click "Register application"
|
|
5. Copy Client ID and Client Secret
|
|
|
|
### 2. Configure Worker
|
|
```typescript
|
|
import { GitHubHandler } from "@cloudflare/workers-oauth-provider";
|
|
|
|
defaultHandler: new GitHubHandler({
|
|
clientId: (env) => env.GITHUB_CLIENT_ID,
|
|
clientSecret: (env) => env.GITHUB_CLIENT_SECRET,
|
|
scopes: ["repo", "user:email"],
|
|
})
|
|
```
|
|
|
|
### 3. Add Secrets
|
|
```bash
|
|
npx wrangler secret put GITHUB_CLIENT_ID
|
|
npx wrangler secret put GITHUB_CLIENT_SECRET
|
|
```
|
|
|
|
### Common Scopes
|
|
- `repo` - Full repo access
|
|
- `user:email` - Read user email
|
|
- `read:org` - Read org membership
|
|
- `write:org` - Manage org
|
|
- `admin:repo_hook` - Manage webhooks
|
|
|
|
---
|
|
|
|
## Google
|
|
|
|
### 1. Create OAuth Client
|
|
1. Go to https://console.cloud.google.com/apis/credentials
|
|
2. Click "Create Credentials" → "OAuth client ID"
|
|
3. Application type: "Web application"
|
|
4. Authorized redirect URIs: https://my-mcp.workers.dev/oauth/callback
|
|
5. Click "Create"
|
|
6. Copy Client ID and Client Secret
|
|
|
|
### 2. Configure Worker
|
|
```typescript
|
|
import { GoogleHandler } from "@cloudflare/workers-oauth-provider";
|
|
|
|
defaultHandler: new GoogleHandler({
|
|
clientId: (env) => env.GOOGLE_CLIENT_ID,
|
|
clientSecret: (env) => env.GOOGLE_CLIENT_SECRET,
|
|
scopes: ["openid", "email", "profile"],
|
|
})
|
|
```
|
|
|
|
### Common Scopes
|
|
- `openid` - Required for OpenID Connect
|
|
- `email` - User email
|
|
- `profile` - Basic profile
|
|
- `https://www.googleapis.com/auth/drive.readonly` - Read Drive files
|
|
- `https://www.googleapis.com/auth/gmail.readonly` - Read Gmail
|
|
|
|
---
|
|
|
|
## Azure AD
|
|
|
|
### 1. Register Application
|
|
1. Go to https://portal.azure.com → Azure Active Directory
|
|
2. App registrations → New registration
|
|
3. Name: My MCP Server
|
|
4. Redirect URI: https://my-mcp.workers.dev/oauth/callback
|
|
5. Click "Register"
|
|
6. Copy Application (client) ID
|
|
7. Certificates & secrets → New client secret
|
|
8. Copy secret value
|
|
|
|
### 2. Configure Worker
|
|
```typescript
|
|
import { AzureADHandler } from "@cloudflare/workers-oauth-provider";
|
|
|
|
defaultHandler: new AzureADHandler({
|
|
clientId: (env) => env.AZURE_CLIENT_ID,
|
|
clientSecret: (env) => env.AZURE_CLIENT_SECRET,
|
|
tenant: "common", // or specific tenant ID
|
|
scopes: ["openid", "email", "User.Read"],
|
|
})
|
|
```
|
|
|
|
### Common Scopes
|
|
- `openid` - Required
|
|
- `email` - User email
|
|
- `User.Read` - Read user profile
|
|
- `Files.Read` - Read OneDrive files
|
|
- `Mail.Read` - Read email
|
|
|
|
---
|
|
|
|
## Generic OAuth Provider
|
|
|
|
### For any OAuth 2.1 provider
|
|
```typescript
|
|
import { GenericOAuthHandler } from "@cloudflare/workers-oauth-provider";
|
|
|
|
defaultHandler: new GenericOAuthHandler({
|
|
authorizeUrl: "https://provider.com/oauth/authorize",
|
|
tokenUrl: "https://provider.com/oauth/token",
|
|
userInfoUrl: "https://provider.com/oauth/userinfo",
|
|
|
|
clientId: (env) => env.OAUTH_CLIENT_ID,
|
|
clientSecret: (env) => env.OAUTH_CLIENT_SECRET,
|
|
scopes: ["openid", "email"],
|
|
|
|
context: async (accessToken) => {
|
|
const response = await fetch("https://provider.com/oauth/userinfo", {
|
|
headers: { Authorization: `Bearer ${accessToken}` }
|
|
});
|
|
const user = await response.json();
|
|
|
|
return {
|
|
userId: user.id,
|
|
email: user.email,
|
|
accessToken
|
|
};
|
|
}
|
|
})
|
|
```
|
|
|
|
---
|
|
|
|
## Dynamic Client Registration
|
|
|
|
Skip manual OAuth app creation - let clients register automatically:
|
|
|
|
```typescript
|
|
export default new OAuthProvider({
|
|
allowDynamicClientRegistration: true,
|
|
// No clientId or clientSecret needed!
|
|
})
|
|
```
|
|
|
|
**How it works**:
|
|
1. Client sends registration request
|
|
2. Server generates client credentials
|
|
3. Stored in KV namespace
|
|
4. Client uses credentials for OAuth flow
|
|
|
|
**Pros**:
|
|
✅ No manual setup
|
|
✅ Works immediately
|
|
✅ No provider configuration
|
|
|
|
**Cons**:
|
|
❌ Less control
|
|
❌ Can't track clients externally
|
|
|
|
---
|
|
|
|
## Security Best Practices
|
|
|
|
### Scopes
|
|
✅ Request minimal scopes needed
|
|
❌ Don't request `admin` or `delete` unless necessary
|
|
|
|
### Secrets
|
|
✅ Use `npx wrangler secret put`
|
|
❌ Never commit secrets to git
|
|
❌ Never put secrets in wrangler.jsonc
|
|
|
|
### Redirect URIs
|
|
✅ Use HTTPS in production
|
|
✅ Specify exact URI (not wildcard)
|
|
❌ Don't use localhost in production
|
|
|
|
### Consent Screen
|
|
✅ Always enable in production: `allowConsentScreen: true`
|
|
❌ Never disable consent screen for public apps
|
|
|
|
---
|
|
|
|
**Need help?** See `authentication.md` for full OAuth patterns.
|