OAuth 2.0 Test Server

A fast, fully configurable, in-memory OAuth 2.0 + OpenID Connect authorization server for testing, zero-HTTP mode and DCR support for testing auth flow in MCP Servers and MCP Clients.

This server was developed with the purpose of supporting testing and development of the rust-mcp-sdk, but it works perfectly as a general-purpose auth mocking in any Rust (or non-Rust) project , unit tests, integration suites, local dev, or quick prototypes.
Refer to Key Features to find out more.

⚠️ For testing/development only

• In-memory storage (not persistent)
• No rate limiting or attack protection
• Use in test suites, CI/CD, local development

Purpose

This server implements all major OAuth 2.0 flows and OpenID Connect core features in-memory, making it ideal for:

• Testing OAuth clients (web, mobile, SPA, backend)
• Specifically tailored for testing authentication flow MCP Servers and Clients, with DCR support
• End-to-end flow validation
• Local development
• Integration testing of authorization flows
• Local development against a real OAuth provider
• Demonstrating OAuth concepts
• CI/CD pipeline validation

Supported Standards

Key Features

• Dynamic Client Registration (DCR) (POST /register) with full metadata support
• Authorization Code Flow with PKCE (/authorize, /token)
• Refresh Token Flow with rotation and revocation
• Client Credentials Grant
• Device Code Flow (RFC 8628) (/device/code, /device/token)
• JWT Access Tokens signed with RS256 (auto-generated RSA key pair)
• ID Tokens with at_hash, c_hash, nonce, standard claims
• Token Introspection (POST /introspect) with expiration checking
• Token Revocation (POST /revoke)
• OpenID Connect Discovery (.well-known/openid-configuration)
• JWKS Endpoint (.well-known/jwks.json)
• UserInfo Endpoint (GET /userinfo)
• In-memory stores (clients, codes, tokens, device codes) - no external DB required
• Background TTL cleanup for expired tokens/codes

... View full README on GitHub