Feature Request: Support for CLI-based authentication

Adding CLI Authentication to the AI Endurance MCP Server

The current version of the AI Endurance MCP server uses a browser-based login system. This means you need a web browser to log in, making it difficult to use the server from command-line interfaces (CLIs) or automated scripts running on servers without a graphical interface. This article explores the problem and possible solutions.

The Problem: Browser-Based Authentication

When you try to access the MCP server from a CLI tool, it tries to redirect you to a web browser for authentication. Since a CLI environment doesn't have a browser, the authentication process fails. Imagine trying to use a tool like curl or a custom Python script to interact with the server – you simply can't log in without a browser.

Root Cause: OAuth 2.0 Implicit Grant

The current implementation likely uses the OAuth 2.0 implicit grant flow. This flow is designed for browser-based applications where the client-side application directly receives the access token from the authorization server. While simple to implement for web apps, it's inherently unsuitable for CLI applications, which need a more secure and reliable way to handle credentials.

Solution: Implementing the Authorization Code Grant with PKCE

A robust solution is to implement the OAuth 2.0 Authorization Code Grant with PKCE (Proof Key for Code Exchange). This flow is much more secure and suitable for CLI applications. Here's a step-by-step explanation:

1. Generate a Code Verifier and a Code Challenge: The CLI client generates a random string called the "code verifier" and then calculates a "code challenge" from it (usually by hashing the code verifier).
2. Initiate the Authentication: The CLI client opens a web browser (if available) or displays a URL in the console, which the user can copy and paste into a browser. This URL includes the code challenge.
3. User Authentication: The user authenticates with the MCP server through the browser.
4. Authorization Code: After successful authentication, the server redirects the browser to a pre-configured redirect URI (e.g., http://localhost:8080) with an authorization code.
5. Code Exchange: The CLI client intercepts the redirect (e.g., by running a local web server listening on port 8080) and extracts the authorization code.
6. Token Request: The CLI client sends the authorization code and the original code verifier to the MCP server's token endpoint.
7. Access Token: The server verifies the code verifier against the code challenge and, if they match, issues an access token and a refresh token to the CLI client.

Here's an example of how you might generate the code verifier and code challenge in Python:

import secrets
import hashlib
import base64

def generate_code_verifier(length: int = 64) -> str:
    """Generates a random code verifier."""
    token = secrets.token_urlsafe(length)
    return token[:length] # Ensure the length is exactly 64

def generate_code_challenge(code_verifier: str) -> str:
    """Generates the code challenge from the code verifier."""
    code_challenge = hashlib.sha256(code_verifier.encode('utf-8')).digest()
    code_challenge = base64.urlsafe_b64encode(code_challenge).decode('utf-8').rstrip('=')
    return code_challenge

code_verifier = generate_code_verifier()
code_challenge = generate_code_challenge(code_verifier)

print(f"Code Verifier: {code_verifier}")
print(f"Code Challenge: {code_challenge}")

You would then construct the authorization URL with the code_challenge and redirect the user to it. After the user authorizes the application, the server will redirect back to your specified redirect URI. You then exchange the authorization code for an access token using the code_verifier.

Here's a simplified example of the token request using curl:

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code={authorization_code}&redirect_uri=http://localhost:8080&client_id={your_client_id}&code_verifier={code_verifier}" \
  https://your-mcp-server.com/oauth/token

Practical Tips and Considerations

• Refresh Tokens: Implement refresh tokens to avoid requiring the user to re-authenticate frequently. Store these securely.
• Secure Storage: Store the access and refresh tokens securely on the client machine. Consider using the operating system's keychain or secrets management system.
• Library Support: Leverage existing OAuth 2.0 client libraries in your programming language to simplify the implementation.
• Error Handling: Implement robust error handling to gracefully handle authentication failures and provide informative messages to the user.
• User Experience: Provide clear instructions to the user on how to copy and paste the authorization URL if a browser cannot be automatically opened.

By implementing the Authorization Code Grant with PKCE, the AI Endurance MCP server can effectively support CLI-based authentication, opening up new possibilities for automation and integration.