remote-mcp-pingone

EPortman-Ping/remote-mcp-pingone

3.2

If you are the rightful owner of remote-mcp-pingone and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

The Model Context Protocol (MCP) Server with PingOne integration is a demo template designed to facilitate secure and efficient remote MCP connections, acting as both an OAuth Server and an OIDC Client.

Model Context Protocol (MCP) Server + PingOne

This is a Model Context Protocol (MCP) server that supports remote MCP connections, with PingOne built-in.

The MCP server (powered by Cloudflare Workers):

  • Acts as OAuth Server to your MCP clients
  • Acts as OIDC Client to your PingOne environment

[!WARNING] This is a demo template designed to help you get started quickly. While we have implemented several security controls, you must implement all preventive and defense-in-depth security measures before deploying to production. Please review our comprehensive security guide: Securing MCP Servers

Getting Started

This demo shows how an MCP server can securely call a protected API on behalf of an end user. To begin:

  1. Deploy the .
  2. Deploy either the (for Cloudflare-managed consent) or the (for PingOne DaVinci-managed consent).

[!NOTE] The API used here could be any PingOne-secured API. We use a Cloudflare workers API for this example, but the goal is to demonstrate how any API can be connected to an MCP server using this architecture.

Access the remote MCP server from the Cloudflare Workers AI LLM Playground

Navigate to https://playground.ai.cloudflare.com and connect to your MCP server using the following URL pattern:

https://remote-mcp-pingone(-dv).<your-subdomain>.workers.dev/mcp

Access the remote MCP server from Claude Desktop

Open Claude Desktop and navigate to Settings -> Developer -> Edit Config. This opens the configuration file that controls which MCP servers Claude can access.

Replace the content with the following configuration. Once you restart Claude Desktop, a browser window will open showing your OAuth login page. Complete the authentication flow to grant Claude access to your MCP server. After you grant access, the tools will become available for you to use.

{
  "mcpServers": {
    "todo-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://remote-mcp-pingone(-dv).<your-subdomain>.workers.dev/mcp"
      ]
    }
  }
}

Once the Tools (under 🔨) show up in the interface, you can ask Claude to use them. For example: "Could you tell me what is in my Todo list?". Claude should invoke the tool and show the result generated by the MCP server.

How does it work?

This architecture bridges the stateless nature of Cloudflare workers with the stateful requirements of an authenticated MCP session.

OAuth Provider (The Identity Broker)

The OAuth provider library implements a compliant OAuth 2.1 server directly within your Cloudflare worker. It acts as the security gateway, performing a dual role:

  • OAuth Server: It manages the immediate relationship with the MCP client, handling registration and issuing session tokens.
  • OIDC Client: It orchestrates the upstream federation with PingOne, exchanging authorization codes for the access tokens needed to call protected APIs.

Cloudflare Agents (State & Transport)

The MCP server extends the McpAgent class, which automatically wraps the MCP logic in a durable object. This handles the complex infrastructure requirements:

  • Session Persistence: It creates a dedicated, isolated environment for each MCP connection and securely persists the PingOne tokens in the durable object's storage (this.props).
  • Streamable HTTP: The agent automatically handles the network transport layer. It accepts standard HTTP requests from MCP clients and routes them to MCP tools in the correct durable object.

MCP SDK (Tool Logic)

The official @modelcontextprotocol/sdk is used to define the actual capabilities of the MCP server. Inside the agent, an McpServer instance:

  • Handles Protocol: Manages the serialization of JSON-RPC messages and tool definitions.
  • Enables Streaming: Implements Streamable HTTP to support real-time, bi-directional communication over a single endpoint.

Use Cases & Extensibility

This architecture demonstrates a pattern for connecting AI agents to APIs secured by PingOne. By functioning as an OAuth proxy, the MCP server enables LLMs to interact with services on behalf of an authenticated user, without modifying the downstream API's existing permission models. Whether using the direct Cloudflare consent approach or the DaVinci orchestration flow, this project provides a configuration guide for enabling natural language interactions with enterprise data while maintaining identity-based access controls.