Add OAuth 2.1 PKCE flow for stdio mode

- Create internal/oauth package with standard OAuth implementation
- Use golang.org/x/oauth2 for PKCE flow with S256 challenge
- Support interactive browser-based authorization
- Add CLI flags: --oauth-client-id, --oauth-client-secret, --oauth-scopes
- Respect --gh-host for GHES/GHEC OAuth endpoints
- Secure implementation with ReadHeaderTimeout, state validation
- Comprehensive tests and linting passing

Co-authored-by: SamMorrowDrums <4811358+SamMorrowDrums@users.noreply.github.com>

Author: Copilot

cmd/github-mcp-server/main.go

@@ -1,13 +1,15 @@
 package main
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"time"
 
 	"github.com/github/github-mcp-server/internal/ghmcp"
+	"github.com/github/github-mcp-server/internal/oauth"
 	"github.com/github/github-mcp-server/pkg/github"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -33,8 +35,29 @@ var (
 		Long:  `Start a server that communicates via standard input/output streams using JSON-RPC messages.`,
 		RunE: func(_ *cobra.Command, _ []string) error {
 			token := viper.GetString("personal_access_token")
+
+			// If no token provided, check if OAuth is configured
 			if token == "" {
-				return errors.New("GITHUB_PERSONAL_ACCESS_TOKEN not set")
+				oauthClientID := viper.GetString("oauth_client_id")
+				if oauthClientID != "" {
+					// Perform interactive OAuth flow
+					ctx := context.Background()
+					oauthCfg := oauth.GetGitHubOAuthConfig(
+						oauthClientID,
+						viper.GetString("oauth_client_secret"),
+						getOAuthScopes(),
+						viper.GetString("host"), // Pass the gh-host configuration
+					)
+
+					result, err := oauth.StartInteractiveFlow(ctx, oauthCfg)
+					if err != nil {
+						return fmt.Errorf("OAuth flow failed: %w", err)
+					}
+
+					token = result.AccessToken
+				} else {
+					return errors.New("GITHUB_PERSONAL_ACCESS_TOKEN not set and OAuth not configured (set GITHUB_OAUTH_CLIENT_ID)")
+				}
 			}
 
 			// If you're wondering why we're not using viper.GetStringSlice("toolsets"),
@@ -112,6 +135,11 @@ func init() {
 	rootCmd.PersistentFlags().Bool("insider-mode", false, "Enable insider features")
 	rootCmd.PersistentFlags().Duration("repo-access-cache-ttl", 5*time.Minute, "Override the repo access cache TTL (e.g. 1m, 0s to disable)")
 
+	// OAuth flags (stdio mode only)
+	rootCmd.PersistentFlags().String("oauth-client-id", "", "GitHub OAuth app client ID (enables interactive OAuth flow if token not set)")
+	rootCmd.PersistentFlags().String("oauth-client-secret", "", "GitHub OAuth app client secret (optional for public clients with PKCE)")
+	rootCmd.PersistentFlags().StringSlice("oauth-scopes", nil, "OAuth scopes to request (comma-separated)")
+
 	// Bind flag to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
 	_ = viper.BindPFlag("tools", rootCmd.PersistentFlags().Lookup("tools"))
@@ -126,6 +154,9 @@ func init() {
 	_ = viper.BindPFlag("lockdown-mode", rootCmd.PersistentFlags().Lookup("lockdown-mode"))
 	_ = viper.BindPFlag("insider-mode", rootCmd.PersistentFlags().Lookup("insider-mode"))
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
+	_ = viper.BindPFlag("oauth_client_id", rootCmd.PersistentFlags().Lookup("oauth-client-id"))
+	_ = viper.BindPFlag("oauth_client_secret", rootCmd.PersistentFlags().Lookup("oauth-client-secret"))
+	_ = viper.BindPFlag("oauth_scopes", rootCmd.PersistentFlags().Lookup("oauth-scopes"))
 
 	// Add subcommands
 	rootCmd.AddCommand(stdioCmd)
@@ -154,3 +185,25 @@ func wordSepNormalizeFunc(_ *pflag.FlagSet, name string) pflag.NormalizedName {
 	}
 	return pflag.NormalizedName(name)
 }
+
+// getOAuthScopes returns the OAuth scopes to request
+// Uses custom scopes if provided, otherwise defaults to common scopes
+func getOAuthScopes() []string {
+	var scopes []string
+	if viper.IsSet("oauth_scopes") {
+		if err := viper.UnmarshalKey("oauth_scopes", &scopes); err == nil && len(scopes) > 0 {
+			return scopes
+		}
+	}
+
+	// Default scopes for GitHub MCP Server
+	// Based on the protected resource metadata at https://api.githubcopilot.com/.well-known/oauth-protected-resource/mcp
+	return []string{
+		"repo",
+		"user",
+		"gist",
+		"notifications",
+		"read:org",
+		"project",
+	}
+}

internal/ghmcp/server.go

@@ -215,7 +215,7 @@ func NewMCPServer(cfg MCPServerConfig) (*mcp.Server, error) {
 		cfg.Translator,
 		github.FeatureFlags{
 			LockdownMode: cfg.LockdownMode,
-			InsiderMode: cfg.InsiderMode,
+			InsiderMode:  cfg.InsiderMode,
 		},
 		cfg.ContentWindowSize,
 		featureChecker,
@@ -235,7 +235,7 @@ func NewMCPServer(cfg MCPServerConfig) (*mcp.Server, error) {
 		WithToolsets(enabledToolsets).
 		WithTools(cfg.EnabledTools).
 		WithFeatureChecker(featureChecker)
-  
+
 	// Apply token scope filtering if scopes are known (for PAT filtering)
 	if cfg.TokenScopes != nil {
 		inventoryBuilder = inventoryBuilder.WithFilter(github.CreateToolScopeFilter(cfg.TokenScopes))