sequenceDiagram
participant UA as User-Agent
participant Client as VSCode
participant RS as Apigee
participant IDP as SSO
participant Upstream as MCP
Client->>+RS: GET/POST request with NO Access Token
RS->>-Client: 401 Unauthorized (WWW-Authenticate)
opt Discovery, Sign-In, and Consent
Client->>+RS: DISCOVERY GET /.well-known/oauth-protected-resource
RS->>-Client: 200 (authorization_server)
Client->>+IDP: DISCOVERY GET /.well-known/oauth-authorization-server
IDP->>-Client: 200 OK (/authorize, /token endpoints)
Client->>+IDP: GET /authorize (client ID, redirect_uri)
IDP->>-Client: 302 Sign-in (Location)
Client->>+UA: Launch (Location)
UA->>+IDP: signin (Location, Cookie)
Note over UA,IDP: Perform auto-signin, maybe MFA signin
IDP->>-UA: 302 (Location, code)
UA->>-Client: activate (Location, code)
Client->>+IDP: POST /token (code)
IDP->>-Client: 200 OK (access_token)
end
Client->>+RS: GET/POST request (access_token)
RS->>+IDP: Get /jwks.json
IDP->>-RS:
RS->>RS: Validate access token
RS->>+Upstream: request
Upstream->>-RS: response (whatever)
RS->>-Client: response
Last active
November 6, 2025 18:38
-
-
Save DinoChiesa/462c9d29fdfd82b915e07fe347caa978 to your computer and use it in GitHub Desktop.
OAuth Authorization code flow with MCP
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment