Description
OAuth is everywhere — logging in with Google, connecting VS Code to GitHub, or letting a chatbot use your data. But for most developers, the moving parts of OAuth feel like a black box.
In this workshop, we’ll start at the very beginning: setting up your MCP resource server so clients can discover protected resources and request authorization. Step by step, you’ll see how a client figures out where to get access tokens and what your server needs to provide to make it work. By the end, the whole flow will actually make sense.
Most OAuth headaches come down to the basics: missing CORS headers, not knowing the difference between resource and authorization servers, or a failed client registration. This workshop helps you understand why those problems happen — and how to fix them.
What You’ll Cover
- CORS basics: why it exists, how browsers enforce it, and how to configure your server to avoid blocked requests.
- Resource vs. authorization servers: understanding their roles and how clients discover each one.
- Resource metadata: telling clients where the authorization server lives.
- Dynamic client registration: how MCP clients register themselves automatically.
By the End Of Day 7
You’ll be able to:
- A working MCP server that can handle real authentication requests
- Hands-on experience setting up OAuth from scratch, with CORS and metadata in place
- A clear mental model of how clients, resource servers, and authorization servers interact
- The confidence to troubleshoot common setup issues before they become roadblocks
You’ll leave with a working OAuth setup — and a clear mental model of how all the pieces fit together.