Fix examples + doc tweaks

bhosmer-ant · bhosmer-ant · commit 8f9a0dbcd815 · 2025-10-06T23:21:09.000-04:00
diff --git a/docs/endpoints.md b/docs/endpoints.md
@@ -2,7 +2,7 @@
 
 Complete listing of all endpoints provided by each server in the architecture.
 
-## Auth Server (Port 3001)
+## Auth Server
 
 Standalone OAuth 2.0 authorization server that handles authentication and token management.
 
@@ -37,7 +37,7 @@ Local simulation of upstream IDP (would be external in production):
 
 ---
 
-## MCP Server (Port 3232)
+## MCP Server
 
 MCP resource server that implements the Model Context Protocol with delegated authentication.
 
diff --git a/docs/oauth-architecture-patterns.md b/docs/oauth-architecture-patterns.md
@@ -6,9 +6,9 @@ This document describes different OAuth 2.0 architecture patterns for MCP server
 
 Per the MCP specification, "the authorization server may be hosted with the resource server or as a separate entity." This leads to two primary patterns for implementing OAuth in MCP servers.
 
-## Pattern 1: Separate Authorization Server (Implemented)
+## Pattern 1: Separate Authorization Server (Recommended)
 
-The current implementation uses this production-ready pattern with separate authorization and resource servers.
+The current implementation demonstrates this pattern with separate authorization and resource servers. (Note: the authorization server is for demonstration purposes only.)
 
 ### Architecture
 
@@ -19,173 +19,51 @@ The current implementation uses this production-ready pattern with separate auth
 │             │         │  (port 3001)     │validate │  (port 3232)    │
 │             │<────────│                  │         │                 │
 │             │  token  │  Issues tokens   │         │  Serves MCP     │
-│             │         │                  │         │  resources      │
+│             │         └──────────────────┘         │  resources      │
 │             │────────────────────────────────────> │                 │
 │             │         MCP requests with token      │                 │
 └─────────────┘                                      └─────────────────┘
 ```
 
 ### Components
 
-1. **Authorization Server** (port 3001)
+1. **Demo Authorization Server** (port 3001)
    - Handles OAuth 2.0 authorization flow
    - Issues and manages tokens
    - Provides token introspection endpoint (RFC 7662)
-   - Can be replaced with Auth0, Okta, Google OAuth, etc.
+   - Should be replaced with Auth0, Okta, Google OAuth, etc.
 
 2. **MCP Resource Server** (port 3232)
    - Serves MCP protocol resources
    - Validates tokens via introspection
    - Contains no OAuth authorization code
    - Focuses purely on MCP functionality
 
-### Benefits
+### Using a Commercial Auth Provider
 
-- **Standards Compliance**: Follows OAuth 2.0 best practices
-- **Flexibility**: Easy to swap auth providers
-- **Scalability**: Servers scale independently
-- **Security**: Clear security boundaries
-- **Maintainability**: Separation of concerns
-
-### Real-World Use Cases
-
-- **SaaS Applications**: Using Auth0 or Okta for authentication
-- **Enterprise**: Integrating with corporate SSO (SAML, LDAP)
-- **Social Login**: Google, GitHub, Facebook authentication
-- **Cloud Native**: AWS Cognito, Azure AD integration
-
-### Implementation Details
-
-The MCP server validates tokens by calling the auth server's `/introspect` endpoint:
-
-```typescript
-// In MCP server
-const response = await fetch(`${AUTH_SERVER_URL}/introspect`, {
-  method: 'POST',
-  headers: {
-    'Content-Type': 'application/x-www-form-urlencoded',
-  },
-  body: `token=${accessToken}`
-});
+Replacing the demo auth server with a commercial provider:
 
-const introspection = await response.json();
-if (introspection.active) {
-  // Token is valid, extract user info
-  const userId = introspection.sub;
-}
-```
+1. **Configure provider**: Set up OAuth app in commercial provider (e.g. Auth0/Okta)
+2. **Update metadata URL**: Point to provider's discovery endpoint
+3. **Configure introspection**: Set up token validation
+4. **Update redirect URIs**: Configure allowed callbacks
+5. **Migrate users**: Import existing users if needed
+6. **Test integration**: Verify full OAuth flow
 
 ---
 
-## Pattern 2: Embedded Authorization Server (Alternative)
-
-An alternative pattern where the OAuth server is embedded within the MCP server. This demonstrates a self-hosted OAuth 2.1 authorization server running in the same process as the MCP server.
-
-### Architecture
-
-```
-┌─────────────┐         ┌─────────────────────────┐
-│             │  OAuth  │                         │
-│  MCP Client │────────>│    MCP Server           │
-│             │         │  ┌──────────────────┐  │
-│             │<────────│  │ OAuth Server     │  │
-│             │  token  │  └──────────────────┘  │
-│             │         │  ┌──────────────────┐  │
-│             │────────>│  │ MCP Resources    │  │
-│             │   MCP   │  └──────────────────┘  │
-└─────────────┘         └─────────────────────────┘
-```
-
-### Upstream Delegation Pattern
-
-Embedded OAuth often delegates user authentication to an upstream identity provider while maintaining control over token issuance:
-
-```
-MCP Client                   MCP+OAuth Server              Upstream IDP
-   │                              │                         (Corporate SSO)
-   │──1. /authorize───────────────>│                              │
-   │<───(show auth page)───────────│                              │
-   │                               │                              │
-   │──2. Click "Continue"──────────>│                              │
-   │<──redirect to upstream────────│                              │
-   │                               │                              │
-   │──3. /upstream/authorize────────────────────────────────────────>│
-   │<──(authenticate user)──────────────────────────────────────────│
-   │──4. Provide credentials────────────────────────────────────────>│
-   │<──redirect with userId─────────────────────────────────────────│
-   │                               │                              │
-   │──5. /callback with userId───────>│                              │
-   │                               │──(validate userId)            │
-   │                               │──(issue MCP tokens)           │
-   │<──redirect with auth code──────│                              │
-   │                               │                              │
-   │──6. /token (exchange code)─────>│                              │
-   │<──MCP access token─────────────│                              │
-```
-
-### Characteristics
-
-- **Single Server**: OAuth and MCP in one process
-- **Port**: Typically runs on single port (e.g., 3232)
-- **Token Validation**: In-process, direct database access
-- **Deployment**: Simpler, fewer moving parts
-- **Upstream Delegation**: Can delegate authentication to corporate SSO while controlling token issuance
+## Pattern 2: Embedded Authorization Server (Alternative/Legacy)
 
-### Benefits
+The MCP spec describes an alternative pattern where the OAuth server is embedded within the MCP server. However, this pattern is not recommended in the general case, and is not demonstrated in this codebase.
 
-- **Simplicity**: Single server to deploy and manage
-- **Performance**: No network hop for token validation
-- **Self-Contained**: All functionality in one codebase
-- **Control**: Full control over token issuance while leveraging existing identity infrastructure
-
-### Drawbacks
-
-- **Coupling**: Auth and MCP logic intertwined
-- **Scalability**: Can't scale auth independently
-- **Flexibility**: Harder to switch auth providers
-- **Updates**: Auth changes require MCP server updates
-
-### Use Cases
+### Possible Use Cases
 
 - **Enterprise Deployments**: Organizations needing control over OAuth token issuance while leveraging existing corporate identity infrastructure (LDAP, Active Directory, SAML)
 - **Proof of Concepts**: Quick prototypes and demonstrations
 - **Small Deployments**: Internal tools with simple auth needs
 - **Isolated Systems**: Air-gapped environments without external connectivity
 - **Custom Auth Requirements**: Specialized authentication needs not met by standard providers
 
-### Typical Configuration
-
-Environment variables for embedded pattern:
-```bash
-BASE_URI=http://localhost:3232      # Single server URL
-PORT=3232                           # Single port for OAuth + MCP
-REDIS_URL=redis://localhost:6379    # Session storage
-UPSTREAM_IDP_URL=https://corp.sso  # Optional: upstream identity provider
-```
-
-### Code Organization
-
-Typical structure for embedded OAuth implementation:
-```
-src/
-├── index.ts                 # Main entry point (MCP + OAuth + routing)
-├── auth/
-│   ├── provider.ts          # OAuth server implementation
-│   └── auth-core.ts         # Token generation, PKCE utilities
-├── services/
-│   ├── mcp.ts               # MCP protocol implementation
-│   ├── auth.ts              # Auth service integration
-│   ├── redis-auth.ts        # Redis auth operations
-│   └── redisTransport.ts    # Redis-backed transport
-├── handlers/
-│   ├── oauth.ts             # OAuth endpoints (/authorize, /token)
-│   ├── mcp-shttp.ts         # Streamable HTTP handler
-│   ├── mcp-sse.ts           # SSE handler
-│   └── upstream-idp.ts      # Upstream IDP integration
-└── utils/
-    └── logger.ts            # Structured logging
-```
-
 ---
 
 ## Comparison
@@ -195,42 +73,11 @@ src/
 | **Architecture** | 2+ servers | 1 server |
 | **OAuth endpoints** | On auth server | On MCP server |
 | **Token validation** | Remote (introspection) | In-process |
-| **Deployment** | More complex | Simpler |
-| **Scalability** | Independent scaling | Coupled scaling |
-| **Provider integration** | Easy (standard APIs) | Difficult |
-| **Code organization** | Clear separation | Mixed concerns |
-| **Network hops** | Additional for validation | None for validation |
 | **Upstream IDP support** | Via auth server | Direct integration |
 | **Production readiness** | ✅ Recommended | ⚠️ Limited use cases |
 
 ---
 
-## Migration Path
-
-### From Embedded to Separate
-
-If starting with embedded OAuth, migration to separate servers involves:
-
-1. **Extract auth code**: Move OAuth handlers to separate service
-2. **Implement introspection**: Add RFC 7662 endpoint
-3. **Update MCP server**: Replace in-process validation with introspection calls
-4. **Update configuration**: Point MCP server to auth server URL
-5. **Migrate upstream IDP**: Move delegation logic to auth server
-6. **Test thoroughly**: Ensure token flow works correctly
-
-### From Separate to Commercial Provider
-
-Replacing the demo auth server with a commercial provider:
-
-1. **Configure provider**: Set up OAuth app in Auth0/Okta
-2. **Update metadata URL**: Point to provider's discovery endpoint
-3. **Configure introspection**: Set up token validation
-4. **Update redirect URIs**: Configure allowed callbacks
-5. **Migrate users**: Import existing users if needed
-6. **Test integration**: Verify full OAuth flow
-
----
-
 ## Best Practices
 
 1. **Use separate servers** for production deployments
diff --git a/docs/oauth-flow.md b/docs/oauth-flow.md
@@ -194,18 +194,6 @@ This ensures only the client that initiated the flow can exchange the code, even
 
 ---
 
-## Architecture Benefits
-
-The separate server architecture provides:
-
-1. **Standards Compliance**: Follows OAuth 2.0 best practices for resource/authorization server separation
-2. **Flexibility**: Auth server can be replaced with Auth0, Okta, or other providers
-3. **Scalability**: Auth and MCP servers can scale independently based on load
-4. **Security**: Token validation via introspection endpoint (RFC 7662)
-5. **Maintainability**: Clear separation of authentication and business logic
-
----
-
 ## References
 
 - [RFC 6749: OAuth 2.0 Framework](https://datatracker.ietf.org/doc/html/rfc6749)
diff --git a/examples/README.md b/examples/README.md
@@ -29,16 +29,21 @@ Shell script demonstrating API interactions using curl.
 # Make executable
 chmod +x curl-examples.sh
 
-# Register client (step 1)
+# Step 1: Register OAuth client (automatic when no token provided)
 ./curl-examples.sh
 
-# After getting token (via MCP Inspector)
+# Step 2: Initialize MCP session (after getting token via MCP Inspector or client.js)
 ./curl-examples.sh YOUR_ACCESS_TOKEN
 
-# With session ID
+# Step 3: Run all examples (with session ID from step 2)
 ./curl-examples.sh YOUR_ACCESS_TOKEN YOUR_SESSION_ID
 ```
 
+The script guides you through the process:
+- First run registers an OAuth client automatically
+- Second run initializes an MCP session and returns a session ID
+- Third run executes all the example MCP operations
+
 ### client.js
 
 Node.js client showing programmatic interaction with the MCP server.
@@ -59,6 +64,20 @@ chmod +x client.js
 ./client.js
 ```
 
+**Note:** When you complete the OAuth flow in your browser, you'll be redirected to `http://localhost:8080/callback` which will show "site can't be reached". This is expected! Simply copy the authorization code from the URL in your browser's address bar (the long string after `code=`). The script will exchange this for an access token and display it for use with other tools.
+
+## Understanding OAuth Tokens
+
+**Authorization Code** vs **Access Token**:
+- **Authorization Code**: The temporary code you get from the browser redirect (e.g., `302a80e8...`)
+  - One-time use only
+  - Must be exchanged for an access token
+  - Expires quickly (usually within minutes)
+- **Access Token**: The actual bearer token for API authentication (e.g., `mcp_at_...`)
+  - Used in the `Authorization: Bearer` header
+  - Valid for 7 days
+  - What you need for `curl-examples.sh`
+
 ## Getting an Access Token
 
 ### Option 1: MCP Inspector (Easiest)
diff --git a/examples/client.js b/examples/client.js
diff --git a/examples/curl-examples.sh b/examples/curl-examples.sh
