oauth-music-streaming-mcp-server by roynjeru - MCP Server

🎧 Spotify OAuth 2.0 Authorization Server (with MCP Authentication)

Secure OAuth 2.0 and MCP-compliant authorization server bridging Spotify’s Web API with Model Context Protocol (MCP) tool servers — built for scale, observability, and developer experience.

🧭 Overview

This repository implements a custom OAuth 2.0 Authorization Server that bridges authentication between:

Spotify Web API (user identity & consent)
Model Context Protocol (MCP) servers exposing Spotify tool integrations

Built with ASP.NET Core 8, it delivers a secure and extensible authentication layer using:

PKCE-based Authorization Code Flow
Dynamic Client Registration
RSA-signed JWT bearer tokens
OpenID Connect Discovery
MCP Authorization Compliance per specification 2025-03-26

🚀 Key Features

1. OAuth 2.0 Authorization Code with PKCE (Spotify Integration)

Implements Spotify’s Authorization Code with PKCE flow for secure public-client authentication.

Flow Summary:

Client starts /authorize with code_challenge=S256
Server redirects to Spotify for user consent
Spotify returns an auth code → /spotify-callback
Server exchanges Spotify code for access/refresh tokens
MCP issues its own JWT-bound token (/token)

Sequence Diagram

This ensures that no secrets are exposed client-side and that token exchanges are verified using code_verifier and S256.

var spotifyTokenRequest = new SpotifyTokenRequest
{
    GrantType = "authorization_code",
    Code = code,
    RedirectUri = redirectUri,
    CodeVerifier = verifier
};

2. Dynamic Client Registration (RFC 7591 §3.3)

Enables runtime client onboarding without manual setup.

Example Request:

POST /register
Content-Type: application/json

{
  "client_name": "my-mcp-client",
  "redirect_uris": ["https://localhost:3000/callback"],
  "grant_types": ["authorization_code"],
  "response_types": ["code"],
  "scope": "mcp:tools openid profile email"
}

Response:

{
  "client_id": "abc123",
  "registration_access_token": "securetoken",
  "registration_client_uri": "https://localhost:8080/register/abc123"
}

💡 Why it matters

Dynamic registration allows multi-tenant tool ecosystems to register securely at runtime — ideal for automated AI agent provisioning and decentralized MCP tool discovery.

📘 Reference: RFC 7591 §3.3

3. RSA-Signed Bearer Tokens (JWT)

Access tokens are minted as RSA-signed JWTs using a PEM private key, encapsulated by the class.

var jwt = issuerSvc.Mint("user1", lifetime: TimeSpan.FromMinutes(15));

iss: MCP issuer URL
aud: "my-mcp-server"
sub: Spotify-linked user identity
kid: RSA key identifier
exp: short-lived (15 minutes)

JWTs are signed with RS256, verified via the published JWKS endpoint (/.well-known/jwks.json).

📘 Reference: MCP Authorization Spec (Mar 2025)

4. Addressing MCP Authentication Challenges

According to GoFastMCP Authentication, secure MCP auth requires handling federated identity, token delegation, and proof-of-possession.

Challenge	Solution Implemented
Decoupled identity sources (Spotify vs MCP)	Spotify tokens are federated into MCP-issued JWTs, maintaining trust boundaries.
Public clients w/ no secrets	Enforced PKCE (S256) for all clients.
Token delegation and mapping	`/exchange/spotify-token` securely maps Spotify tokens to MCP sessions.
Scoped access for tools	Issued tokens carry `scope=mcp:tools`, enforcing least privilege.
Key rotation & discovery	RSA key published via JWKS, supporting dynamic rotation.

5. Token Lifecycle and Security

Short-lived access tokens (15 mins)
Refresh token rotation (revokes parent on use)
RFC 7009 /revoke endpoint for logout
Spotify token exchange endpoint for federated identity binding

POST /token
grant_type=refresh_token
refresh_token=xyz123

🧩 Architecture

+--------------------------+
|   MCP Client (Tool)      |
|--------------------------|
|  /authorize (PKCE)       |
|  ↳ Redirect to Spotify   |
|  ↳ /spotify-callback     |
|  ↳ /token (MCP JWT)      |
+--------------------------+
              ^
              |
              v
+--------------------------+
|   MCP Auth Server        |
|--------------------------|
|  /register               |
|  /authorize              |
|  /token                  |
|  /exchange/spotify-token |
|  /revoke                 |
+--------------------------+
              ^
              |
              v
+--------------------------+
|   Spotify Web API        |
+--------------------------+

🛡️ Security Highlights

✅ PKCE (S256) enforcement — no client secrets
✅ RSA (RS256) signatures with JWKS endpoint
✅ Strict redirect URI validation
✅ Token rotation & replay protection
✅ OIDC discovery at /.well-known/openid-configuration
✅ Cached key metadata for verifiers

🧠 This project demonstrates:

Security-focused full-stack design, with an emphasis on identity, authentication, and observability
Integration of OpenTelemetry and Azure Monitor for distributed tracing and performance visibility
Modular architecture — easily extendable for GraphQL/REST tooling

builder.Services.AddOpenTelemetry().UseAzureMonitor();

🔮 Future Enhancements

Add OAuth 2.0 Introspection (RFC 7662)
Implement JWKS key rotation scheduler
Add structured audit logging for client registration events
Integrate fine-grained MCP tool scopes
Provide front-end OAuth client sample (React + TypeScript)

🧪 Running Locally

dotnet run

Visit:

Environment Variables

jwt-kid="my-key-id"
jwt-pemPrivateKey="-----BEGIN PRIVATE KEY-----..."
env-issuer="https://localhost:8080"

📄 License

This project is licensed under the MIT License — see for details.

roynjeru/oauth-music-streaming-mcp-server