This sample demonstrates how to secure an MCP server using OAuth2, as per the MCP specification.
Run the project with:
./mvnw spring-boot:run
Obtain a token by calling the /oauth2/token endpoint:
curl -XPOST "http://localhost:8080/oauth2/token" \
--data grant_type=client_credentials \
--user "mcp-client:secret"
# And copy-paste the access token
# Or use JQ:
curl -XPOST "http://localhost:8080/oauth2/token" \
--data grant_type=client_credentials \
--user "mcp-client:secret" | jq -r ".access_token"Store that token, and then boot up the MCP inspector:
npx @modelcontextprotocol/[email protected]In the MCP inspector, paste your token. Click connect, and voilà!
Note that the token is only valid for 5 minutes
In Spring, OAuth2 Support for MCP server means adding:
- Spring Security (infrastructure for security)
- Spring Authorization Server (issuing tokens)
- Spring Security: OAuth2 Resource Server ( authentication using tokens)
Note that Spring Auth Server does not support the reactive stack, so issuing tokens only works in Servlet.