@softeria/ms-365-mcp-server 0.92.0 → 0.93.0

package/dist/cli.js

@@ -35,6 +35,9 @@ program.name("ms-365-mcp-server").description("Microsoft 365 MCP Server").versio
 ).option(
   "--public-url <url>",
   "Public base URL (e.g. https://mcp.example.com) used in browser-facing OAuth redirects when running behind a reverse proxy. Server-to-server endpoints (token, register) stay on the request host."
+).option(
+  "--obo",
+  "Enable On-Behalf-Of token exchange in HTTP mode. Exchanges the incoming bearer token for a Graph API token using the OBO flow. Requires MS365_MCP_CLIENT_SECRET."
 ).addOption(
   // DEPRECATED: kept only so existing deployments that set --base-url or
   // MS365_MCP_BASE_URL do not crash at startup. Use --public-url /
@@ -99,6 +102,9 @@ function parseArgs() {
       options.enableDynamicRegistration = true;
     }
   }
+  if (process.env.MS365_MCP_OBO === "true" || process.env.MS365_MCP_OBO === "1") {
+    options.obo = true;
+  }
   if (options.cloud) {
     process.env.MS365_MCP_CLOUD_TYPE = options.cloud;
   }

package/dist/obo-client.js

@@ -0,0 +1,42 @@
+import { ConfidentialClientApplication } from "@azure/msal-node";
+import logger from "./logger.js";
+import { getCloudEndpoints } from "./cloud-config.js";
+class OboClient {
+  constructor(secrets) {
+    if (!secrets.clientSecret) {
+      throw new Error(
+        "On-Behalf-Of flow requires MS365_MCP_CLIENT_SECRET to be set (confidential client)."
+      );
+    }
+    const cloudEndpoints = getCloudEndpoints(secrets.cloudType);
+    this.cca = new ConfidentialClientApplication({
+      auth: {
+        clientId: secrets.clientId,
+        clientSecret: secrets.clientSecret,
+        authority: `${cloudEndpoints.authority}/${secrets.tenantId || "common"}`
+      }
+    });
+    const graphBase = cloudEndpoints.graphApi.replace(/\/$/, "");
+    this.graphScopes = [`${graphBase}/.default`];
+  }
+  async exchangeToken(userAssertion) {
+    try {
+      const result = await this.cca.acquireTokenOnBehalfOf({
+        oboAssertion: userAssertion,
+        scopes: this.graphScopes
+      });
+      if (!result?.accessToken) {
+        throw new Error("OBO token exchange returned no access token");
+      }
+      logger.info("OBO token exchange successful");
+      return result.accessToken;
+    } catch (error) {
+      logger.error(`OBO token exchange failed: ${error.message}`);
+      throw error;
+    }
+  }
+}
+var obo_client_default = OboClient;
+export {
+  obo_client_default as default
+};

package/dist/server.js

@@ -19,6 +19,7 @@ import { getSecrets } from "./secrets.js";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { requestContext } from "./request-context.js";
 import crypto from "node:crypto";
+import OboClient from "./obo-client.js";
 function parseHttpOption(httpOption) {
   if (typeof httpOption === "boolean") {
     return { host: void 0, port: 3e3 };
@@ -45,6 +46,7 @@ class MicrosoftGraphServer {
     this.graphClient = null;
     this.server = null;
     this.secrets = null;
+    this.oboClient = null;
   }
   createMcpServer() {
     const server = new McpServer(
@@ -103,6 +105,18 @@ class MicrosoftGraphServer {
     } catch (err) {
       logger.warn(`Failed to detect multi-account mode: ${err.message}`);
     }
+    if (this.options.obo) {
+      if (!this.options.http) {
+        throw new Error("--obo requires --http (On-Behalf-Of flow only works in HTTP mode).");
+      }
+      if (!this.secrets.clientSecret) {
+        throw new Error(
+          "--obo requires MS365_MCP_CLIENT_SECRET to be set (confidential client required for On-Behalf-Of flow)."
+        );
+      }
+      this.oboClient = new OboClient(this.secrets);
+      logger.info("On-Behalf-Of (OBO) flow enabled");
+    }
     const outputFormat = this.options.toon ? "toon" : "json";
     this.graphClient = new GraphClient(this.authManager, this.secrets, outputFormat);
     if (!this.options.http) {
@@ -174,7 +188,7 @@ class MicrosoftGraphServer {
         const protocol = req.secure ? "https" : "http";
         const requestOrigin = `${protocol}://${req.get("host")}`;
         const browserBase = publicBase ?? requestOrigin;
-        const scopes = buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
+        const scopes = this.options.obo ? [`api://${this.secrets.clientId}/access_as_user`] : buildScopesFromEndpoints(this.options.orgMode, this.options.enabledTools);
         res.json({
           resource: `${requestOrigin}/mcp`,
           authorization_servers: [browserBase],
@@ -398,7 +412,11 @@ class MicrosoftGraphServer {
           };
           try {
             if (req.microsoftAuth) {
-              await requestContext.run({ accessToken: req.microsoftAuth.accessToken }, handler);
+              let accessToken = req.microsoftAuth.accessToken;
+              if (this.oboClient) {
+                accessToken = await this.oboClient.exchangeToken(accessToken);
+              }
+              await requestContext.run({ accessToken }, handler);
             } else {
               await handler();
             }
@@ -436,7 +454,11 @@ class MicrosoftGraphServer {
           };
           try {
             if (req.microsoftAuth) {
-              await requestContext.run({ accessToken: req.microsoftAuth.accessToken }, handler);
+              let accessToken = req.microsoftAuth.accessToken;
+              if (this.oboClient) {
+                accessToken = await this.oboClient.exchangeToken(accessToken);
+              }
+              await requestContext.run({ accessToken }, handler);
             } else {
               await handler();
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.92.0",
+  "version": "0.93.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",