feat: add OAuth 2.0 PKCE authentication support#218
Conversation
Adds JIRA_AUTH_TYPE=oauth mode alongside existing basic auth. Implements full PKCE flow with browser-based authorization, automatic token refresh, and persistent token storage at ~/.mcp-jira-stdio/tokens.json. Co-authored-by: Claude <claude@anthropic.com>
Add setup instructions, environment variable table, troubleshooting entries, and Docker usage examples for the new JIRA_AUTH_TYPE=oauth mode. Co-authored-by: Claude <claude@anthropic.com>
1225ea8 to
09cd7ba
Compare
|
Thanks a lot for this PR, @mstrlc — OAuth 2.0 PKCE support is a genuinely useful addition for orgs that disable personal API tokens, and the overall shape (opt-in via I did a thorough review. Before merging I'd like a few must-fix items addressed, all in Must-fix (blocking)
CIThe CI workflow hadn't run on this PR (fork PR — it needs maintainer approval). I'm approving the run now so we can see lint / typecheck / Not blocking
Happy to re-review as soon as the four items above are in and CI is green. Thanks again for the contribution! 🚀 |
|
CI ran now — it fails only at the lint step (the other matrix jobs were cancelled by fail-fast, not real failures).
Once lint is green the job will continue to typecheck → |
|
@mstrlc thanks for the PR and for adding OAuth 2.0 PKCE support! 🙏 The test suite is currently failing on all Node versions ( |
Summary
JIRA_AUTH_TYPE=oauthmode alongside the existing basic auth (API token) — no breaking changes for existing users~/.mcp-jira-stdio/tokens.json(mode600)Motivation
Some Atlassian organizations disable personal API token access for security policy reasons. This PR makes the server usable in those environments without requiring any changes to existing basic-auth setups.
Changes
New file
src/utils/oauth.ts— PKCE authorization flow, token exchange, refresh, file-based + in-memory cacheModified files
src/types/common.ts—JiraAuthConfig.email/apiTokenmade optional;authTypefield addedsrc/utils/jira-auth.ts—validateAuth(),getAuthenticatedClient(), andgetMultipartClient()branch onJIRA_AUTH_TYPE; OAuth path uses async interceptor to inject Bearer token + correct base URL per requestsrc/index.ts— Startup log handles OAuth path.env.example— Documents the three new env varsDocs
README.md— OAuth 2.0 Setup section, updated Quick Install / Configuration / MCP client config / env vars table / troubleshootingDOCKER.md— OAuthdocker runexamples with token persistence and callback portEnvironment variables
JIRA_AUTH_TYPEbasic(default) oroauthJIRA_OAUTH_CLIENT_IDJIRA_OAUTH_CLIENT_SECRETCallback URL to register in the Atlassian app:
http://localhost:7789/callbackRequired OAuth scopes:
read:jira-user read:jira-work write:jira-work offline_accessTest plan
JIRA_EMAIL+JIRA_API_TOKENconfig (no env change needed)JIRA_AUTH_TYPE=oauthwith valid client credentials opens browser, completes authorization, and stores tokens in~/.mcp-jira-stdio/tokens.json