Connector Test
БесплатноНе проверенA remote MCP server demonstrating OAuth 2.1 authentication with Firebase, providing a 'whoami' tool that returns the authenticated user's identity and plan.
Описание
A remote MCP server demonstrating OAuth 2.1 authentication with Firebase, providing a 'whoami' tool that returns the authenticated user's identity and plan.
README
A small, self-contained remote MCP server that demonstrates the full authentication handshake a
Claude Connector goes through — OAuth 2.1 discovery, dynamic
client registration, PKCE, an interactive sign-in page, and a token-protected tool call. Users are
authenticated against a Firebase project, and a single whoami tool returns their real identity
(profile + plan) read from Firestore.
It was built as a prototype for a Smodin Claude Connector, but it works with any Firebase project — plug in your own and run it.
⚠️ Prototype, not production. This server's own access/refresh tokens are HS256 JWTs signed with a shared secret, and all OAuth state (registered clients, auth codes) is kept in memory and resets on restart. The user identity is real (verified Firebase ID token + Firestore lookup), but the token layer is intentionally simple. Don't deploy this as-is.
How it works
Claude / Inspector This server (:8000) Firebase
│ POST /mcp (no token) ──▶ 401 + WWW-Authenticate
│ reads /.well-known/* ──▶ OAuth discovery + PKCE metadata
│ POST /register ──▶ dynamic client registration
│ opens /authorize ─────▶ 302 → /login (our sign-in page)
│ │ Firebase JS SDK sign-in ──▶ ID token
│ │ POST /login/complete (ID token)
│ │ verify token + read Firestore profile/plan
│ POST /token (+PKCE) ──▶ access + refresh token
│ POST /mcp (Bearer) ───▶ whoami → real identity
The MCP SDK's mcpAuthRouter and requireBearerAuth provide the OAuth HTTP plumbing. This repo
implements the authorization-server logic (OAuthServerProvider), the Firebase sign-in page, and the
Firestore identity lookup.
Project structure
| File | Purpose |
|---|---|
src/index.ts |
Express app: OAuth router, sign-in routes, token-protected /mcp (Streamable HTTP). |
src/config.ts |
Environment config; derives all OAuth URLs from PUBLIC_BASE_URL. |
src/tokens.ts |
Sign/verify the server's JWT access + refresh tokens. |
src/auth/provider.ts |
OAuthServerProvider implementation (authorize / token / PKCE / verify). |
src/auth/store.ts |
In-memory stores: clients, pending authorizations, auth codes, refresh tokens. |
src/auth/login-page.ts |
Firebase sign-in screen (GET /login) + POST /login/complete. |
src/firebase/admin.ts |
firebase-admin init + verifyIdToken. |
src/firebase/smodin-user.ts |
Firestore profile/plan lookup + paid-status logic. |
src/mcp/server.ts |
MCP server + the whoami tool. |
scripts/seed-user.mjs |
Seed a Firestore profile for a test user (optional). |
Prerequisites
- Node.js 18+
- A Firebase project (a free/throwaway one is fine)
Firebase setup
- Authentication → enable a sign-in method. Email/Password is recommended (works on
localhostand any tunnel with no extra config). Google works too, but see the caveat below. - Firestore Database → create it (Native mode). Required even if empty — the profile lookup errors if no database exists.
- Service account (Project settings → Service accounts → Generate new private key) → download the JSON. This lets the server read Firestore. Keep it outside the repo.
- Grab your web app config (Project settings → General → Your apps) for the
FIREBASE_*values.
Configuration
cp .env.example .env
Fill in .env (see comments in .env.example):
| Variable | What it is |
|---|---|
FIREBASE_PROJECT_ID |
Your Firebase project id |
FIREBASE_WEB_API_KEY |
Web API key (public — shipped to the browser) |
FIREBASE_AUTH_DOMAIN |
<project-id>.firebaseapp.com |
GOOGLE_APPLICATION_CREDENTIALS |
Absolute path to the service-account JSON |
TOKEN_SECRET |
Long random string for signing this server's JWTs |
PUBLIC_BASE_URL |
Only needed behind a tunnel (see below) |
Run
npm install
npm run build # type-check + compile
npm run dev # watch mode on http://localhost:8000
Quick health check:
curl http://localhost:8000/.well-known/oauth-authorization-server
curl -i -X POST http://localhost:8000/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' # -> 401 + WWW-Authenticate
Test the full flow (MCP Inspector)
npm run inspect
In the Inspector: transport Streamable HTTP, URL http://localhost:8000/mcp, Connect. It runs
OAuth discovery → registration → opens the sign-in page. Sign in with a test user (email/password),
then call whoami — it returns that user's real identity.
On a fresh project with no Firestore documents, whoami returns the real uid/email with
plan: free. To see a real plan, seed a profile:
npm run seed -- <FIREBASE_UID> [email protected] "Test User" premium
(Get <FIREBASE_UID> from Firebase console → Authentication → Users. Pass free instead of
premium for a free account.)
Add it to claude.ai
Custom connectors require a paid Claude plan and a public HTTPS URL.
- Tunnel to the local server:
cloudflared tunnel --url http://localhost:8000 # or: ngrok http 8000 - Set
PUBLIC_BASE_URLin.envto the tunnel URL and restart (all OAuth URLs derive from it). - In claude.ai → Settings → Connectors → Add custom connector → paste
https://<your-tunnel-host>/mcp. - Sign in on the connector's page, then ask Claude to run
whoami.
Caveats
- Google sign-in needs an authorized domain.
signInWithPopuprequires the app origin to be in the Firebase project's Authorized domains.localhostis allowed by default; ad-hoc tunnel hosts are not (you'd add them). Email/password has no such restriction. - Project alignment. The ID token's
aud, the client-configprojectId, and the adminprojectIdmust all be the same Firebase project. - The profile/plan is snapshotted into the access token at login (fine for a prototype).
Security notes
- Never commit
.envor the service-account JSON — both are gitignored. - The web API key is intentionally public; the service-account key is a secret — keep it out of the repo and rotate it if exposed.
- Replace the in-memory token layer before any real deployment.
License
MIT — see LICENSE.
Установка Connector Test
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/hasnaties/mcp-connector-testFAQ
Connector Test MCP бесплатный?
Да, Connector Test MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Connector Test?
Нет, Connector Test работает без API-ключей и переменных окружения.
Connector Test — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Connector Test в Claude Desktop, Claude Code или Cursor?
Открой Connector Test на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Connector Test with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
