This is a fork of mcp-remote-with-okta with our own configurations
A wrapper for mcp-remote that handles Okta authentication using OAuth implicit flow, providing seamless authentication for protected MCP servers.
It grants access to MCP servers by proxying the authentication process to Okta, by storing the tokens on user ~/.metalab directory.
- 🔐 Okta OAuth: Implements Okta's OAuth implicit flow for secure user authentication.
- 🔄 Token Management: Automatic token storage, validation, and expiration handling.
- 🖥️ Cross-Platform: Works on macOS, Windows, and Linux.
- 🚀 Zero Maintenance: Set it once, never worry about tokens again.
- 🔧 Configurable: Support for multiple environments, scopes, and authentication methods.
- 🔒 Secure Storage: Tokens stored securely in user's home directory.
- 🎯 Production Ready: Robust error handling for Okta.
| Variable | Required | Default | Description |
|---|---|---|---|
OKTA_CLIENT_ID |
✅ | - | Client ID for Okta |
OKTA_DOMAIN |
✅ | - | Your Okta domain (e.g., dev-12345.okta.com) |
OKTA_SCOPE |
Optional | openid profile email |
OAuth scope for Okta |
MCP_TOKEN_URI |
Optional | http://localhost:8080/token |
MCP token URL |
DEBUG_MODE |
Optional | false |
Enable debug mode for troubleshooting |
AUTO_REFRESH |
Optional | true |
Enable automatic token refresh |
REFRESH_THRESHOLD |
Optional | 10 |
Auto-refresh threshold in minutes |
-
Double-click the downloaded file to extract its contents.
-
Open the script folder from the extracted files.
-
Double-click setup-mcp.command to start the setup.
If you see a security warning, follow these steps:
-
Open System Settings → Privacy & Security.
-
Scroll down until you see the message: “setup-mcp.command was blocked to protect your Mac.” Click Open Anyway.
-
Confirm by clicking Open Anyway again.
-
Authenticate with Touch ID or your password to allow execution.
Run the following command on your terminal, then reopen Windsurf or refresh the MCP config
mkdir ~/.metalab;
curl -L https://github.com/metalabdesign/metalab-mcp-remote-with-okta/releases/latest/download/metalab-mcp-remote-with-okta.js -o ~/.metalab/metalab-mcp-remote-with-okta.js
curl -fsSL https://github.com/metalabdesign/metalab-mcp-remote-with-okta/releases/latest/download/install.js | nodeDownload the latest mcp-remote-with-okta.js release from releases and save it to a location of your choice
Add the following to your mcp config
{
"mcpServers": {
"metalab": {
"command": "node",
"args": [
"<PATH_SAVED>/metalab-mcp-remote-with-okta.js"
],
}
}
}run npm run build and then add the following to your mcp config
{
"mcpServers": {
"metalab": {
"command": "node",
"args": [
"<REPO_PATH>/dist/index.js",
]
}
}
}Ensure your Okta application is configured correctly:
- Grant Types: Enable "Authorization Code"
- App Type: Use "OIDC Web Application"
- MCP Token URIs: Add your token generation URL (e.g.,
http://localhost:8080/token) - Scopes: Ensure requested scopes are allowed
If you encounter access_denied errors or "The requested feature is not enabled" messages:
- Verify your Okta app settings match the requirements above
- Check that all URIs are correctly registered in Okta
- Ensure your Okta domain and client credentials are correct
- For free Okta Developer orgs, use the default authorization server
src/
auth-strategy.js # Authentication strategy
index.js # Main server application
package.json # Node.js dependencies and scripts
.env.example # Environment configuration template
README.md # This file