mcp-oauth2-aws-cognito

mcp-oauth2-aws-cognito

5
securitycloud_platforms

This project demonstrates securing a Model Context Protocol (MCP) server using OAuth 2.1 with AWS Cognito, showcasing features like Dynamic Client Registration and dynamic discovery of authorization server metadata.

Overview

This repository demonstrates how to secure a Model Context Protocol (MCP) server using OAuth 2.1 authorization flows with AWS Cognito, implemented with Node.js and Express.js. Key features include:

  • MCP server functioning as a Resource Server
  • AWS Cognito acting as an Authorization Server
  • OAuth 2.1 Authorization Code Flow with PKCE
  • Dynamic discovery of authorization server metadata
  • Dynamic Client Registration (DCR) support
  • Two client implementations (static and auto-discovery)

Architecture

Client → MCP Server (Resource Server) → AWS Cognito (Authorization Server)

Quick Start

Prerequisites

  • Node.js installed
  • AWS test account setup

Setup

  1. Clone the repository
  2. Install dependencies
  3. Deploy AWS resources
  4. Review and update .env files if needed

Running the Application

  1. Start both clients and server
  2. Visit http://localhost:3000 to test the OAuth flow
  3. Sign up and verify a new user
  4. Click “Fetch MCP Data” to request data from MCP server
  5. Visit http://localhost:3002 to test DCR flow

Cleanup

  • Cleanup AWS resources