- Issue created by @alvarodemendoza
- π¬πͺGeorgia gagosha
Itβs part of the module roadmap and a work in progress. Right now Iβm in the research phase, so Iβm open to conversation about how we can implement it.
- Status changed to Needs work
about 2 months ago 7:59pm 20 August 2025 - π³π±Netherlands askibinski
Let me share my findings, since I got this working (at least with MCP Inspector and Claude Code, but Claude.ai/desktop should also work).
This is the main documentation with specifications:
https://modelcontextprotocol.io/specification/2025-03-26/basic/authoriza...I leveraged the simple_oauth module which uses the php league oauth library for the heavy lifting. However, the module does not support Dynamic Client Registration (DCR) whch is required (at least, if you want to make it frictionless). See RFC7591.
I used a PKCE Flow - Secure public client authentication without client secrets.
I had an issue that default scopes were not supported and had to workaround that. Basically, on register (DCR) a consumer entity is created with default scopes and those need te be used in the request. Related: β¨ Provide default scopes if client is not requesting a specific scope Closed: outdated
The MCP inspector's Oauth guide is really helpful in debugging all this locally.
- π¬πͺGeorgia gagosha
Hey @askibinski, great to see someone interested in making it work.
As I remember, when I researched the auth implementation, there were the following requirements β Version 2025-06-18:
* OAuth 2.0 Authorization Server Metadata (RFC8414) β MUST
* OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) β SHOULD
* OAuth 2.0 Protected Resource Metadata (RFC9728) β MUSTAnd Dynamic Client Registration is a MUST if we want to work with Claude Web or any other web-based clients. So I'd actually consider it a MUST.
I had a conversation with @bojan_dev, maintainer of the simple_oauth module, and:
For RFC8414, these need to be done:
https://www.drupal.org/project/simple_oauth/issues/3174705 β¨ Implement JWKs (RFC 7517) and OAuth metadata (RFC 8414) Needs work
https://www.drupal.org/project/simple_oauth/issues/3033472 β¨ [PP-1] Support OpenID Connect Discovery Needs reviewRFC7591 and RFC9728 - nothing has been done yet.
As you pointed out, the previous version supported the PKCE Flow without these requirements. Itβs interesting if the latest version also supports this as is (I got these requirements from the latest version, as I mentioned, and never checked the old one :D).