OAuth Implementation in Multi-User Proxy Service Context - FastMCP Local Callback Server

[Shriram-11]

First, I want to say that FastMCP is an excellent library with a really clean and intuitive API design! The abstractions and developer experience are top-notch.

Context & Use Case

I'm building a web service where multiple users can connect to various MCP servers through a single proxy instance, each with their own OAuth credentials. However, I've encountered some challenges with the current OAuth implementation when applied to this multi-user proxy architecture.

Current FastMCP OAuth Flow Issues in Proxy Context

1. Browser Opens on Proxy Machine

async def redirect_handler(authorization_url: str) -> None:
    """Open browser for authorization."""
    logger.info(f"OAuth authorization URL: {authorization_url}")
    webbrowser.open(authorization_url)  # Opens on proxy server, not user's machine

2. Callback Server Location

def OAuth(mcp_url: str, ...):
    # Creates local callback server on proxy machine:
    redirect_port = find_available_port()
    redirect_uri = f"http://127.0.0.1:{redirect_port}/callback"
    # Remote user's browser can't reach proxy's 127.0.0.1

3. Token Storage Per Server, Not Per User

class FileTokenStorage(TokenStorage):
    def __init__(self, server_url: str, cache_dir: Path | None = None):
        self.server_url = server_url  # Server-scoped, but not user-scoped
        # All users connecting to same server share tokens

Multi-User Proxy Scenario

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   User A        │───▶│   Proxy Service │───▶│  MCP Server     │
│  (remote)       │    │   (localhost)   │    │  (OAuth-enabled)│
└─────────────────┘    └─────────────────┘    └─────────────────┘
                              │                         │
                              │                         │
                              ▼                         ▼
                       webbrowser.open()         OAuth callback to
                       (opens on proxy!)         127.0.0.1:port
                       User A can't see!         (User A can't reach!)

Questions

1. Is the current OAuth implementation primarily intended for single-user, co-located clients (desktop apps, CLI tools) where the FastMCP client and user share the same environment?

2. Are there plans to support multi-user proxy scenarios, or is this outside the intended scope of FastMCP?

3. Is OAuth the right approach for multi-user proxy services, or should we follow a different authentication pattern for this use case?

4. What would be the recommended approach for building an MCP proxy service that serves multiple users who need OAuth authentication?

Potential approaches I'm considering:

• Return OAuth URLs to users and have them handle the flow externally
• Use proxy-hosted callback endpoints instead of localhost
• Use a different auth mechanism (API keys, client credentials)
• Extend the FileTokenStorage to be user-aware

5. Would extending the current architecture to support user context be valuable, such as:

   # Hypothetical user-aware OAuth
   def OAuth(
       mcp_url: str,
       user_id: str | None = None,  # New: user context
       return_url_instead_of_opening: bool = False,  # New: don't auto-open browser
       custom_callback_url: str | None = None,  # New: proxy-hosted callback
       # ...
   ):

6. Could the local callback server approach be adapted for proxy scenarios by using proxy-hosted endpoints instead of 127.0.0.1?

Any guidance on the intended design philosophy and recommended approaches for this type of multi-user service architecture would be greatly appreciated!

[JeremyCraigMartinez]

Have you had any luck uncovering a way to implement this @Shriram-11 ? I am trying to build something similar and running into the same issues