Auth Server (Development)
The auth-server is a minimal OAuth 2.1 authorization server for local development and testing of MCP clients. It is not intended for production use.
Overview
| Property | Value |
|---|---|
| Default port | 9000 |
| Source | omd-mcp/auth-server/ |
| Purpose | Local JWT issuance for testing MCP clients with auth="oauth" |
What it provides
- Dynamic Client Registration (RFC 7591 subset)
- Authorization Code flow with PKCE
- JWT access tokens (RS256)
- JWKS endpoint for token verification
Endpoints
| Path | Description |
|---|---|
GET /.well-known/oauth-authorization-server |
Authorization server metadata (RFC 8414) |
GET /.well-known/jwks.json |
JWKS for verifying issued JWTs |
POST /register |
Dynamic client registration |
GET /authorize |
Authorization request (shows dev login form) |
POST /authorize |
Submit credentials and issue authorization code |
POST /token |
Token endpoint (authorization_code, refresh_token) |
Running locally
cd omd-mcp/auth-server
uv sync
uv run uvicorn src.main:app --host 127.0.0.1 --port 9000
Environment variables
Copy .env.example to .env:
| Variable | Default | Description |
|---|---|---|
AUTH_SERVER_ISSUER |
http://127.0.0.1:9000 |
Issuer URL (must match what clients use) |
AUTH_SERVER_DEV_USERNAME |
dev |
Login username for the dev form |
AUTH_SERVER_DEV_PASSWORD |
dev |
Login password for the dev form |
Integration with MCP services
To use the auth-server with omd-go-service or powerhouse-service:
- Start the auth-server on port 9000.
- In the MCP service
.env, set:OMD_USE_LOCAL_AUTH_SERVER=1 OMD_MCP_PUBLIC_BASE_URL=http://127.0.0.1:8050 OMD_AUTH_SERVER_ISSUER=http://127.0.0.1:9000 - Restart the MCP service.
- Connect an MCP client with
auth="oauth":python from fastmcp import Client async with Client("http://127.0.0.1:8050/mcp", auth="oauth") as client: tools = await client.list_tools()
The client will discover the auth-server via protected-resource metadata and prompt for a browser-based login.
Issued tokens
Access tokens include a roles claim (["customer"] by default) so role-gated tools continue to work during development.
!!! warning Do not deploy the auth-server in production environments. It uses in-memory stores, fixed credentials, and is not hardened for public exposure.