Skip to content

Commit 1c88679

Browse files
kapravelkapravel
authored
Merge pull request #153 from SocketDev/jwerle/oauth-integration
feat(oauth): add OAuth authentication for MCP HTTP mode
2 parents ad54b9e + 35797fc commit 1c88679

3 files changed

Lines changed: 835 additions & 50 deletions

File tree

README.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,6 +182,35 @@ This approach automatically uses the latest version without requiring global ins
182182
MCP_HTTP_MODE=true SOCKET_API_KEY=your-api-key npx @socketsecurity/mcp@latest --http
183183
```
184184

185+
HTTP mode supports these environment variables:
186+
187+
| Variable | Required | Default | Description |
188+
|---|---|---|---|
189+
| `SOCKET_API_KEY` | Required unless OAuth is enabled | None | Socket API key used for outbound API calls. If unset in OAuth-enabled HTTP mode, the validated incoming bearer token is forwarded upstream instead. |
190+
| `SOCKET_OAUTH_ISSUER` | Set together with the two introspection vars to enable OAuth | None | OAuth issuer URL used for metadata discovery and incoming bearer-token validation. |
191+
| `SOCKET_OAUTH_INTROSPECTION_CLIENT_ID` | With OAuth | None | Client ID used for token introspection. |
192+
| `SOCKET_OAUTH_INTROSPECTION_CLIENT_SECRET` | With OAuth | None | Client secret used for token introspection. |
193+
| `SOCKET_OAUTH_REQUIRED_SCOPES` | No | `packages:list` | Space-delimited scopes required on incoming access tokens. |
194+
| `SOCKET_API_URL` | No | Production Socket API URL, or localhost when `SOCKET_DEBUG=true` | Override the upstream Socket API endpoint. Useful for local development and testing. |
195+
| `SOCKET_DEBUG` | No | `false` | Switches the default upstream Socket API endpoint to localhost when `SOCKET_API_URL` is unset. |
196+
| `TRUST_PROXY` | No | `false` | When `true`, trust `X-Forwarded-Host` and `X-Forwarded-Proto` when building OAuth metadata URLs. Enable only behind a trusted reverse proxy that rewrites these headers. |
197+
| `MCP_PORT` | HTTP mode only | `3000` | Port to bind the HTTP server to. |
198+
199+
`SOCKET_API_URL` and `SOCKET_DEBUG` also apply in stdio mode.
200+
In OAuth-enabled HTTP mode, if `SOCKET_API_KEY` is unset, the authenticated client's bearer token is forwarded to the Socket API. That token therefore must also be accepted by the configured upstream Socket API.
201+
202+
To enable OAuth-backed auth for incoming MCP requests:
203+
204+
```bash
205+
MCP_HTTP_MODE=true \
206+
SOCKET_OAUTH_ISSUER=https://issuer.example.com \
207+
SOCKET_OAUTH_INTROSPECTION_CLIENT_ID=your-client-id \
208+
SOCKET_OAUTH_INTROSPECTION_CLIENT_SECRET=your-client-secret \
209+
npx @socketsecurity/mcp@latest --http
210+
```
211+
212+
Add `TRUST_PROXY=true` only when the server is deployed behind a trusted reverse proxy or load balancer that normalizes the forwarded host and protocol headers.
213+
185214
2. Configure your MCP client to connect to the HTTP server:
186215
```json
187216
{

0 commit comments

Comments
 (0)