Shipping an OAuth-protected remote MCP server: the spec and 3 security bugs
The article describes the process of shipping a remote MCP (Model Context Protocol) server with OAuth protection, covering both the specification's implementation and three security bugs discovered during development.
Background
- MCP (Model Context Protocol) is an open standard by Anthropic that lets AI assistants connect to external tools, APIs, and data sources. "Remote MCP" means the server is accessible over the internet, not just locally.
- OAuth is a framework (e.g., "Sign in with Google") letting apps access a user's data without seeing their password. OAuth 2.1 is the latest tightened spec.
- The article walks through implementing OAuth for a remote MCP server, then shows three security bugs found while building it: an exposed client secret, missing redirect URI validation (token theft via open redirect), and state parameter reuse (CSRF-like session hijack).
- MCP is new (late 2024) and still maturing. Remote MCP servers give AI models live access to databases, email, file storage — so auth bugs can leak tokens/data or let attackers impersonate users in AI workflows.