Skip to content

Expose OAuth token management parameters across all providers #2222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jlowin merged 1 commit into from
Oct 23, 2025
Merged

Expose OAuth token management parameters across all providers #2222

jlowin merged 1 commit into from
Oct 23, 2025

Conversation

@jlowin
Copy link
Owner

@jlowin jlowin commented Oct 23, 2025

Closes #2208

All OAuth providers and the OIDC proxy now expose the three production-critical parameters for persistent token management across server restarts:

  • jwt_signing_key: Secret for signing FastMCP JWT tokens
  • token_encryption_key: Secret for encrypting upstream OAuth tokens at rest
  • client_storage: AsyncKeyValue storage for persisting client registrations

What Changed

OIDCProxy now accepts and passes through both encryption parameters to OAuthProxy.

All provider classes now expose all three parameters:

  • GoogleProvider
  • GitHubProvider
  • AzureProvider
  • WorkOSProvider
  • Auth0Provider
  • AWSCognitoProvider

Production Usage

import os
from fastmcp import FastMCP
from fastmcp.server.auth.providers.google import GoogleProvider
from key_value.aio.stores.redis import RedisStore

auth = GoogleProvider(
    client_id="...",
    client_secret="...",
    base_url="https://production.com",
    
    # Production token management
    jwt_signing_key=os.environ["JWT_SIGNING_KEY"],
    token_encryption_key=os.environ["TOKEN_ENCRYPTION_KEY"],
    client_storage=RedisStore(
        host=os.environ["REDIS_HOST"],
        port=int(os.environ["REDIS_PORT"])
    )
)

mcp = FastMCP("Production App", auth=auth)

All three parameters work together to ensure tokens and registrations survive restarts in distributed deployments.

Documentation

Added "Production Configuration" sections (with version badges) to all provider integration guides demonstrating complete setup with Redis and environment variables.

@jlowin
Expose OAuth token management parameters in all providers
6edbf3d 
All OAuth providers and OIDCProxy now expose jwt_signing_key,
token_encryption_key, and client_storage parameters for production
deployments requiring persistent token management across server restarts.
@marvin-context-protocol marvin-context-protocol bot added bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. labels Oct 23, 2025
@jlowin jlowin added this to the 2.13.0 milestone Oct 23, 2025
@jlowin jlowin merged commit 980d051 into main Oct 23, 2025
12 checks passed
@jlowin jlowin deleted the expose-oauth-token-params branch October 23, 2025 01:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. bug Something isn't working. Reports of errors, unexpected behavior, or broken functionality.

Projects

None yet

Milestone

2.13.0

Development

Successfully merging this pull request may close these issues.

TypeError: AzureProvider.__init__() got an unexpected keyword argument 'jwt_signing_key'

2 participants

@jlowin