Mcp Weather Oauth2 Server

Overview

The Mcp Weather OAuth2 Server is a reference implementation that demonstrates how to secure an MCP (Model Context Protocol) server with OAuth 2.0. By integrating Spring Security and the Spring Authorization Server, it issues short‑lived access tokens that grant AI assistants controlled, authenticated access to weather data resources. This approach solves the common problem of exposing sensitive or rate‑limited APIs to untrusted clients, ensuring that only authorized applications can query the weather service.

What the server does is twofold: first, it acts as an OAuth 2.0 Authorization Server, providing the standard endpoint for client‑credentials and PKCE flows. Second, it serves as an OAuth 2.0 Resource Server that validates incoming bearer tokens on every MCP request, allowing the AI assistant to retrieve weather information without compromising security. The token lifetime is deliberately short (15 minutes), encouraging clients to refresh tokens regularly and reducing the window for token misuse.

Key features include:

• Client‑credentials flow for machine‑to‑machine interactions, ideal for backend AI services that need unattended access.
• Authorization code flow with PKCE for browser‑based or mobile clients, ensuring secure user consent without storing client secrets.
• Spring Security integration, leveraging familiar declarative security rules and the robust Spring ecosystem for authentication, authorization, and token management.
• MCP inspector compatibility, enabling developers to paste a generated token into the inspector UI and immediately explore available resources, tools, and prompts.

Typical use cases involve AI assistants that provide weather forecasts, alerts, or historical data. By authenticating via OAuth 2.0, the assistant can query the MCP server on behalf of users while adhering to API rate limits and access controls. For example, a conversational AI in a smart home app can request current temperature data, and the MCP server will validate the token before returning the result. This pattern scales to multi‑tenant deployments where each tenant receives its own client credentials and token scope.

Integrating this server into an AI workflow is straightforward: the assistant first obtains a bearer token using one of the supported flows, then attaches it to every MCP request. The server validates the token, enforces scopes, and serves the requested weather resource or tool. Because MCP already defines how tools are described and invoked, adding OAuth 2.0 does not alter the core protocol—only adds a layer of secure authentication that aligns with industry standards. The result is a robust, production‑ready MCP server that protects sensitive data while enabling rich AI interactions.