Integrations¶
Beyond the core OAuth endpoints, this repo exposes three integration surfaces that matter in practice:
- social login providers
- the eventing subsystem
- the standalone MCP wrapper under
mcp-server/
Social login¶
| Provider | Status | Routes |
|---|---|---|
| Shipped | /auth/login/google, /auth/callback/google |
|
| Microsoft | Shipped | /auth/login/microsoft, /auth/callback/microsoft |
| Azure AD | Shipped | /auth/login/azure, /auth/callback/azure |
| GitHub | Shipped | /auth/login/github, /auth/callback/github |
| Okta | Not implemented | /auth/login/okta returns HTTP 503 |
| Auth0 | Not implemented | /auth/login/auth0 returns HTTP 503 |
Minimum setup is just provider credentials plus a redirect URI. The exact variable names live in .env.example and application.conf.example.
Note
/auth/login/azure uses the same Microsoft identity platform client as the Microsoft flow. It prefers dedicated OAUTH2_AZURE_* settings and falls back to OAUTH2_MICROSOFT_* when Azure-specific settings are unset.
Example for Google:
export OAUTH2_GOOGLE_CLIENT_ID=your-client-id
export OAUTH2_GOOGLE_CLIENT_SECRET=your-client-secret
export OAUTH2_GOOGLE_REDIRECT_URI=http://localhost:8080/auth/callback/google
Eventing¶
The server can emit auth events and accept external event envelopes.
Runtime defaults:
OAUTH2_EVENTS_ENABLED=trueOAUTH2_EVENTS_BACKEND=in_memoryOAUTH2_EVENTS_FILTER_MODE=allow_all- health probe:
GET /events/health - external ingest:
POST /events/ingest
Event ingest authentication¶
By default, POST /events/ingest requires a bearer token. Configure the shared
secret with OAUTH2_EVENTS_INGEST_BEARER_TOKEN and include it in the
Authorization header:
curl -X POST http://localhost:8080/events/ingest \
-H "Authorization: Bearer YOUR_INGEST_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "event": { ... } }'
If the token is missing or does not match, the endpoint returns HTTP 401.
If the token variable is not configured at all, the endpoint returns HTTP 503.
To allow unauthenticated callers (not recommended for production), set
OAUTH2_EVENTS_PUBLIC_INGEST=true.
Feature-gated broker backends:
| Backend | Build requirement |
|---|---|
| Redis Streams | --features events-redis |
| Kafka | --features events-kafka |
| RabbitMQ | --features events-rabbit |
Example Redis Streams path:
export OAUTH2_EVENTS_BACKEND=redis
export OAUTH2_EVENTS_REDIS_URL=redis://127.0.0.1:6379
export OAUTH2_EVENTS_REDIS_STREAM=oauth2_events
MCP server¶
The repository includes a separate Node.js stdio server in mcp-server/.
What it exposes¶
| Tool | Purpose |
|---|---|
register_client |
Calls the admin client-registration API |
get_token |
Client credentials token request |
exchange_code |
Authorization code token exchange |
refresh_token |
Refresh-token request |
introspect_token |
Token introspection |
revoke_token |
Token revocation |
get_health |
Health probe |
get_readiness |
Readiness probe |
get_metrics |
Metrics fetch |
get_openid_config |
Discovery fetch |
Important limitations¶
- the wrapper is not browser/session aware
register_clienttargets the admin-protected endpointPOST /admin/clients/registerrefresh_tokenexists as a tool, but default server configs still reject the refresh grant unless you explicitly enable it- it does not provide general user CRUD or admin-dashboard automation
Quick setup:
Then point your MCP client at mcp-server/src/index.js with OAUTH2_BASE_URL set to the running server. The fuller repo-local guide lives in mcp-server/README.md.
Use the published copy here: the MCP server README.
Source of truth¶
When you are unsure whether an integration is real or aspirational, check these files first:
crates/oauth2-server/src/lib.rsfor registered routes.env.exampleandapplication.conf.examplefor config keysmcp-server/src/index.jsfor exposed MCP toolscrates/oauth2-events/for event backend support