Support an end-user friendly `OAuthAuthorizationCodeAuthenticator`

[erwinkramer]

In a perfect world, this library allows some kind of OAuthAuthorizationCodeAuthenticator, which not only should read from the OpenAPI OAuth 2.0 security segment to get the required values, such as these, but also allows for interactive authentication through prompting with the MCP server, allowing for each end-user to use their own credentials. This is equivalent to using a swagger ui or scalar ui, where you can interactively generate your oauth tokens and use them (in the browser front-end generated by the UI tooling).

I also requested this in a similar project, see gunpal5/QuickMCP#9

[abdebek]

Hi @erwinkramer ,

Quick update: PKCE and client-credentials support are in (as of version 0.0.5-preview), and external OpenAPI specs (like your bank API) can be registered with the right token/authorize endpoints and subscription key.

Currently authentication is still triggered out-of-band (browser/device flow) with a shared token store, so it doesn’t yet offer a Swagger-UI-style interactive login per MCP user. We could add an MCP ‘login’ tool that returns a device-flow verification URL + user code (with per-session token storage), or an auth-code/PKCE URL handoff. Do you have a preference or any suggestions? We can try one approach and adjust based on feedbacks.

[erwinkramer]

@abdebek looks like some good progress, nice!

For device flow vs authorization code - I feel like authorization code flow is more commonly used. Device flow has been supported just recently in the OpenAPI spec: https://github.com/OAI/OpenAPI-Specification/releases/tag/3.2.0, this means there is little support for OpenAPI spec generators. I don't even think it's technically possible in asp.net APIs currently, since .net 10 only supports up to openapi 3.1.1 spec - unless you use a custom setup with the Microsoft.OpenAPI library.

[erwinkramer]

@abdebek just an update from my side, please see https://github.com/erwinkramer/bank-api?tab=readme-ov-file#run-the-mcp-server, i successfully implemented the library in a way that currently works for me, based on your last changes on 0.0.7-preview and your provided samples in the repo (much thanks for that!).

There is still potential to have it even further simplified (like support for multiple auth providers in 1 API without duplicating tools, and not having to specify the provider details but getting them from the definition instead), but I'm already very happy with what I can do with it. 💯