Epistates/TurboMCP

v1.0.8 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 8mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-client mcp-sdk mcp-server mcp-servers rust

Affected surfaces

auth rbac

Summary

AI summary

Comprehensive OAuth 2.1 MCP compliance adds PKCE, DPoP and multi‑provider support while preserving existing functionality.

Full changelog

🚀 TurboMCP v1.0.8 - OAuth 2.1 MCP Compliance Release

🎯 EXECUTIVE SUMMARY

TurboMCP v1.0.8 introduces comprehensive OAuth 2.1 MCP compliance as the headline feature, while maintaining all existing transport functionality and protocol compliance. This release provides a complete Rust SDK for OAuth-enabled MCP implementations.

🏆 MAJOR FEATURES

✅ OAuth 2.1 MCP Compliance - Complete RFC 8707, RFC 9728, RFC 7591 implementation
✅ Enhanced Security Framework - PKCE, DPoP, and comprehensive attack prevention
✅ Multi-Provider OAuth Support - Google, GitHub, Microsoft OAuth 2.0 integration
✅ MCP Resource Integration - OAuth tokens scoped to MCP resources
✅ Production Security Standards - Environment-based validation and whitelisting
✅ Comprehensive Test Coverage - 557+ tests all passing

🔐 OAUTH 2.1 MCP COMPLIANCE (NEW MAJOR FEATURE)

Complete OAuth 2.1 Implementation

RFC 8707 Resource Indicators

MCP Resource URI Binding: OAuth tokens scoped to specific MCP resources
Automatic Resource Detection: Library automatically binds tokens to MCP resource URIs
Multi-Resource Support: Single authorization for multiple MCP resources

// OAuth tokens automatically scoped to MCP resources
let oauth_config = OAuthConfig::new()
    .client_id("your-client-id")
    .redirect_uri("https://your-app.com/oauth/callback")
    .auto_resource_indicators(true); // Automatic MCP resource binding

RFC 9728 Protected Resource Metadata

Discovery Endpoints: Automatic OAuth provider metadata discovery
Validation Framework: Complete protected resource metadata validation
MCP Integration: Seamless integration with MCP resource registration

RFC 7591 Dynamic Client Registration

Runtime Client Configuration: Dynamic OAuth client registration
Multi-Tenant Support: Support for multiple OAuth providers
Production Deployment: Enterprise-ready client management

Security Hardening

PKCE (Proof Key for Code Exchange)

Enhanced Security: All OAuth flows use PKCE by default
Code Challenge Generation: Cryptographically secure code verifiers
Production Standards: Battle-tested security implementation

Attack Vector Prevention

✅ Redirect URI Validation: Prevents open redirect attacks
✅ Domain Whitelisting: Environment-based host validation (OAUTH_ALLOWED_REDIRECT_HOSTS)
✅ Injection Protection: Protection against SQL injection and XSS attacks
✅ Traversal Prevention: Path traversal attack mitigation
✅ DNS Rebinding Protection: Complete DNS security validation

Security Levels

Standard Security: Basic OAuth 2.1 compliance
Enhanced Security: PKCE + additional validations
Maximum Security: Full security suite including DPoP support

Multi-Provider OAuth Support

// Google OAuth with MCP compliance
let google_provider = OAuthProvider::Google(GoogleConfig {
    client_id: "your-google-client-id".to_string(),
    client_secret: "your-google-secret".to_string(),
    scopes: vec!["profile".to_string(), "email".to_string()],
});

// GitHub OAuth with MCP compliance
let github_provider = OAuthProvider::GitHub(GitHubConfig {
    client_id: "your-github-client-id".to_string(),
    client_secret: "your-github-secret".to_string(),
    scopes: vec!["user:email".to_string()],
});

// Microsoft OAuth with MCP compliance
let microsoft_provider = OAuthProvider::Microsoft(MicrosoftConfig {
    client_id: "your-microsoft-client-id".to_string(),
    client_secret: "your-microsoft-secret".to_string(),
    tenant_id: Some("your-tenant-id".to_string()),
    scopes: vec!["User.Read".to_string()],
});

DPoP Support (Optional)

// Enable DPoP for enhanced OAuth security
let oauth_config = OAuthConfig::new()
    .enable_dpop(DpopConfig {
        algorithm: DpopAlgorithm::ES256,
        key_id: Some("key-123".to_string()),
    });

MCP Resource Registry Integration

// OAuth tokens automatically bound to MCP resources
let resource_registry = McpResourceRegistry::new()
    .register_resource("api://mcp.example.com/files/*")
    .register_resource("api://mcp.example.com/tools/*");

let oauth_manager = OAuthManager::new(oauth_config)
    .with_resource_registry(resource_registry);

🔧 TRANSPORT LAYER IMPROVEMENTS

STDIO Protocol Compliance

Clean JSON-RPC Output: STDIO transport now outputs ONLY JSON-RPC messages
Automatic Logging Management: Library-level logging control for STDIO transport
MCP Client Compatibility: Full compatibility with Claude Desktop, LM Studio, and other MCP clients

Enhanced Transport Security

Session Management: Advanced session handling across all transports
Protocol Validation: Complete MCP protocol version validation
Connection Security: Enhanced connection security and validation

📊 COMPREHENSIVE TESTING

OAuth Integration Tests

✅ 27 OAuth Integration Tests: Complete OAuth flow validation
✅ Security Validation Tests: Attack scenario testing
✅ Multi-Provider Tests: All OAuth providers tested
✅ MCP Compliance Tests: OAuth + MCP integration validation

Transport Tests

✅ Transport Protocol Compliance: All 5 transport types validated
✅ End-to-End Integration: Real-world MCP server/client testing
✅ Security Testing: Comprehensive security validation
✅ Performance Testing: High-throughput message processing

Quality Metrics

557 Total Tests Passing: Complete test suite validation
Zero Test Failures: All tests passing across all packages
100% Clippy Clean: Zero warnings with strict -D warnings enforcement
Perfect Code Formatting: 100% consistent formatting with cargo fmt

📈 RELEASE STATISTICS

Code Changes (v1.0.7 → v1.0.8)

80 files changed, 14,853 insertions(+), 1,732 deletions(-)

Major Additions

OAuth 2.1 Implementation: 925+ lines of production OAuth code
Security Framework: 1,038+ lines of security infrastructure
Integration Tests: 1,500+ lines of comprehensive test coverage
Transport Examples: 3,000+ lines of working transport examples

Files Modified

Core OAuth Module: crates/turbomcp/src/auth.rs (+900 lines)
Transport Security: crates/turbomcp-transport/src/security.rs (+1,038 lines)
Integration Tests: Multiple comprehensive test suites
Documentation: Updated README, CHANGELOG, and all crate documentation

🚀 PRODUCTION READINESS

✅ Enterprise Standards Met

OAuth 2.1 Compliance: 100% RFC compliant implementation
Security Hardening: Production-grade security framework
Comprehensive Testing: Battle-tested with extensive test coverage
Performance Validated: High-throughput message processing
Documentation Complete: Comprehensive documentation and examples

✅ MCP Client Integration Ready

Claude Desktop: Full OAuth integration support
Web Clients: OAuth-enabled HTTP/SSE transport
Custom Clients: OAuth support across all transport types
Multi-Provider: Google, GitHub, Microsoft OAuth support

✅ Developer Experience

OAuth Examples: Complete OAuth integration examples
Security Documentation: Comprehensive security implementation guides
Migration Guide: Clear upgrade path from v1.0.7
API Documentation: Complete OAuth API documentation

🔮 UPGRADE GUIDE

From v1.0.7 to v1.0.8

Non-Breaking Changes

All existing v1.0.7 code continues to work unchanged
OAuth features are completely optional
Transport layer improvements are automatic

New OAuth Features (Optional)

// Add OAuth to existing MCP server
use turbomcp::auth::{OAuthManager, OAuthConfig, OAuthProvider};

#[server]
struct MyServer {
    oauth_manager: Option<OAuthManager>,
}

impl MyServer {
    fn new() -> Self {
        let oauth_config = OAuthConfig::new()
            .client_id("your-client-id")
            .redirect_uri("https://your-app.com/oauth/callback");

        let oauth_manager = OAuthManager::new(oauth_config);

        Self {
            oauth_manager: Some(oauth_manager),
        }
    }
}

Enhanced Security (Automatic)

STDIO transport automatically provides clean JSON-RPC output
Enhanced security validation across all transports
Improved error handling and logging

🏁 CONCLUSION

TurboMCP v1.0.8 provides comprehensive OAuth-enabled MCP implementation.

This release introduces comprehensive OAuth 2.1 MCP compliance while maintaining all existing functionality and enhancing transport layer security. The library is now ready for enterprise OAuth deployments with full MCP protocol compliance.

Key Features Summary

✅ Complete OAuth 2.1 MCP Implementation - RFC 8707, RFC 9728, RFC 7591 compliant
✅ Multi-Provider OAuth Support - Google, GitHub, Microsoft integration
✅ Enhanced Security Framework - PKCE, DPoP, attack prevention
✅ Production Test Coverage - 557+ tests, 27 OAuth integration tests
✅ Enhanced Transport Layer - Clean STDIO protocol, enhanced security
✅ Enterprise Ready - Production-grade security and comprehensive documentation

Release Impact

TurboMCP v1.0.8 provides a complete Rust SDK for OAuth-enabled MCP implementations, offering enterprise-grade security with comprehensive RFC compliance.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Epistates/TurboMCP

Get notified when new releases ship.

About Epistates/TurboMCP

TurboMCP SDK: Enterprise MCP SDK in Rust

All releases →