OAuth-Protected MCP Server

A .NET 9 application that combines an OAuth 2.0 authorization server with a Model Context Protocol (MCP) server in a single process. This server provides secure access to Enphase solar data analysis tools through authenticated MCP connections.

As part of my New Learning Journey, I needed an MCP server requiring authorization to test against Claude Code and an Azure AI Foundry Agent.

This was created by combinging these two C# MCP SDK repos as they existed in July/August 2025:

https://github.com/modelcontextprotocol/csharp-sdk/tree/main/samples/ProtectedMcpServer https://github.com/modelcontextprotocol/csharp-sdk/tree/main/tests/ModelContextProtocol.TestOAuthServer

Note: ignore the SSE part of the names here, this is now an Http Transport MCP Server.

Please see my LinkedIn post for more info: https://www.linkedin.com/feed/update/urn:li:share:7364031524003815424/

Features

Core Functionality

• OAuth 2.0 authentication with JWT tokens
• MCP server with Enphase solar data tools
• Single application - no separate OAuth server needed
• Azure AI Foundry agent compatible
• Claude Code compatible (manual auth flow)
• ngrok support for external access

OAuth 2.0 Capabilities

• Full OAuth 2.0 flow support - Authorization code, client credentials, refresh tokens
• PKCE support (S256 code challenge)
• Dynamic client registration (basic RFC 7591 support)
• Token introspection endpoint
• Multiple grant types (authorization_code, client_credentials, refresh_token)
• 8-hour token expiration (configurable)

MCP Integration

• Stateless MCP transport - Required for Azure AI Foundry compatibility
• Protected endpoints - All MCP tools require valid JWT tokens
• Enphase solar data tools - Analyze solar panel performance and energy production

Architecture

URL Structure

• OAuth endpoints at root (/.well-known/*, /token, /register, /authorize)
• MCP endpoints at /mcp
• Single port (7071) with ngrok tunneling for external access
• Clear URL separation - public ngrok URLs vs local Kestrel binding

Key Implementation Details

• Persistent RSA keys - RSA signing keys saved to file and reloaded on restart
• Hybrid OAuth storage - Core OAuth server in-memory with persistent client registration
• Client persistence - Dynamically registered clients saved to oauth-clients.json
• Audience/Issuer validation - proper JWT claim validation
• File-based persistence - RSA keys and registered clients survive server restarts

Usage

Quick Start

1. Update ngrok URL in Program.cs (line 39):

   var publicBaseUrl = "https://your-ngrok-domain.ngrok-free.app/";
   

2. Start ngrok tunnel:

   ngrok http 7071 --domain=your-static-domain.ngrok-free.app
   

3. Run the application:

   dotnet run
   

4. Get demo token (displayed on startup):

   curl -k -d "grant_type=client_credentials&client_id=demo-client&client_secret=demo-secret&resource=https://your-ngrok-domain.ngrok-free.app/mcp/" -X POST https://your-ngrok-domain.ngrok-free.app/token
   

Azure AI Foundry Integration

• Manual token workflow - Generate token via curl, copy to agent configuration
• Stateless transport - Compatible with Azure AI agent requirements
• Bearer token authentication - Add token to agent HTTP headers

Claude Code Integration

• Manual auth flow - Copy/paste authentication URL when browser doesn't open
• OAuth discovery - Automatic detection of OAuth endpoints
• Dynamic client registration - Supports automatic client setup

Data Tools

Enphase Solar Analysis

• Sample data included - Contains Enphase solar CSV files for immediate testing
• Command-line data path - Optional argument to specify custom data directory

... View full README on GitHub