feat: add OAuth 2.0 authentication for remote MCP access

[nix-tkobayashi]

Closes #105

Summary

Add OAuth 2.0 support so the MCP server can be securely exposed over a network with per-user Backlog authentication, eliminating the need for a shared API key.

• Implements the MCP Third-Party Authorization Flow using Hono (consistent with existing codebase)
• Server acts as both an OAuth authorization server (for MCP clients) and an OAuth client (for Backlog)
• Supports Dynamic Client Registration (RFC 7591), Authorization Server Metadata (RFC 8414), Protected Resource Metadata (RFC 9728), and PKCE (S256)
• Fully opt-in: enabled only when BACKLOG_OAUTH_CLIENT_ID is set — existing stdio and local HTTP modes are unchanged
• 43 new tests (6 test files), all passing alongside existing test suite

Motivation

When using the MCP server remotely (e.g., deployed on a cloud server), sharing a single API key is a security concern. OAuth 2.0 lets each user authenticate with their own Backlog account, providing proper access control and auditability.

New files

File	Purpose
src/auth/backlogOAuthConfig.ts	Parses OAuth env vars, opt-in detection
src/auth/backlogAuthContext.ts	AsyncLocalStorage for per-request access token
src/auth/tokenStore.ts	In-memory store for pending auths, auth codes, clients, verification cache
src/auth/backlogOAuthClient.ts	HTTP calls to Backlog OAuth API
src/auth/oauthRoutes.ts	Hono routes for all OAuth endpoints
src/auth/bearerAuthMiddleware.ts	Bearer token validation middleware for /mcp

Modified files

File	Change
src/httpMcpServer.ts	Conditionally mount OAuth routes & middleware, pass authInfo to transport
src/index.ts	Detect OAuth config, create OAuth client registry when enabled
src/utils/backlogClientRegistry.ts	Add createOAuthBacklogClientRegistry() using AsyncLocalStorage tokens
.env.example	Add OAuth env var documentation
README.md / README.ja.md	Add OAuth setup documentation

How to test

1. Register an OAuth application in Backlog (Personal Settings → Register Application)
2. Set env vars: BACKLOG_OAUTH_CLIENT_ID, BACKLOG_OAUTH_CLIENT_SECRET, BACKLOG_DOMAIN, MCP_SERVER_BASE_URL
3. Start with --transport http
4. Verify metadata: curl <base>/.well-known/oauth-authorization-server
5. Register a client: POST /register
6. Complete the authorize → callback → token flow
7. Use the access token with Authorization: Bearer <token> on /mcp

Test plan

• All 43 new OAuth tests pass
• All 369 existing tests pass (80 test files)
• End-to-end OAuth flow verified against live Backlog instance
• Backward compatibility: stdio and local HTTP without OAuth unchanged

🤖 Generated with Claude Code

[katayama8000]

@nix-tkobayashi
Thanks for your contribution.
This looks like a great PR for the remote MCP server.
I'll take a look it.

[nix-tkobayashi]

@katayama8000
Thank you for reviewing!
We've already deployed the remote MCP server in our organization and have been actively using it.
Happy to address any feedback you may have.

[katayama8000]

@nix-tkobayashi
POST should be acceptable here?

[nix-tkobayashi]

Good point — POST is optional per RFC 6749 §3.1, and all known MCP clients (Claude Desktop, Cursor, etc.) use browser redirects (GET) to reach /authorize. There's no concrete use case requiring POST here, so I've changed it to app.get('/authorize', ...) to keep the surface area minimal. Fixed in 76dee52.

[katayama8000]

@nix-tkobayashi
I fixed some and left a comment. Other than that, looks good to me.
I’ll test it locally and merge it later.
Can you check the comments I left?

[nix-tkobayashi]

@katayama8000 Thanks for the review and the fixes! I addressed the comment you left and updated /authorize to accept GET only. All tests are passing now. Please let me know if you spot anything else, and thanks in advance for testing it locally.