Skip to main content

OAuth 2.0 Authentication System

· 2 min read
Eduardez
Eduardez
MoLOS Lead Developer

We're excited to announce the release of OAuth 2.0 authentication support in MoLOS! This significant update enables secure third-party integrations while maintaining full control over your data and permissions.

What is OAuth 2.0?

OAuth 2.0 is an industry-standard authorization framework that enables applications to obtain limited access to user accounts without exposing user credentials. This means external services can interact with MoLOS on your behalf using secure tokens instead of your password.

Key Features

Client Registration

OAuth applications can now be registered and managed directly through the MoLOS interface. Each client application receives unique credentials for secure communication with your MoLOS instance.

interface OAuthClient {
  id: string;
  name: string;
  redirectUris: string[];
  secret?: string;
  scopes: string[];
}

PKCE Authorization Flows

We implement the PKCE (Proof Key for Code Exchange) extension, which enhances security for public clients by preventing authorization code interception attacks.

Token Management

  • Authorization Codes: Short-lived tokens exchanged for access tokens
  • Access Tokens: Long-lived tokens used to authenticate API requests
  • Refresh Tokens: Optional mechanism to obtain new access tokens without re-authentication
  • Token Revocation: Full control to revoke compromised or unwanted tokens

Getting Started

To create an OAuth application:

  1. Navigate to Settings → AI → MCP
  2. Click "Create OAuth App"
  3. Configure your application details and redirect URIs
  4. Save to generate your client credentials

Your OAuth application will receive a client_id and client_secret that can be used to initiate authorization flows.

Security Considerations

  • All sensitive operations require HTTPS
  • Tokens are automatically revoked when applications are deleted
  • Redirect URI validation prevents open redirect vulnerabilities
  • Scope-based permissions provide granular control

Implementation Details

The OAuth 2.0 implementation includes:

  • Authorization endpoint: /api/ai/mcp/oauth/authorize
  • Token endpoint: /api/ai/mcp/oauth/token
  • Registration endpoint: /api/ai/mcp/oauth/register
  • Discovery endpoints: /.well-known/oauth-authorization-server

View on GitHub

What's Next

We're working on enhanced OAuth capabilities including:

  • Custom scope definitions for fine-grained permissions
  • OAuth 2.0 Device Authorization Grant for IoT devices
  • Improved audit logging for OAuth activities

Want to learn more about the technical implementation? Check out our dev blog post about the Devlog January 29.