FEAT: Add Multi-User OAuth 2.0 Support with HTTP/SSE Transport

[leondape]

🚀 Feature Request: Multi-Tenant OAuth 2.0 Authentication with HTTP Transport

Problem Statement

The current Box MCP Server implementation has several limitations that prevent it from being deployed as a centralized, multi-user service:

• Single-User Design: The server creates one global Box client during startup (auth process), meaning all users share the same Box account credentials
• STDIO Transport Only: Currently hardcoded to use stdio transport, which is designed for local, single-user scenarios
• No Session Management: No mechanism to handle multiple concurrent users with their own authentication states
• Deployment Limitations: Cannot be deployed as a centralized service for multiple AI clients/users

Proposed Solution

Implement multi-tenant OAuth 2.0 support with HTTP/SSE transport to enable:

• Multiple users authenticating with their own Box accounts
• Centralized deployment serving multiple AI clients
• Proper session isolation and management
• Modern HTTP-based communication

Detailed Requirements

1. OAuth 2.0 Multi-User Flow

• Implement per-user OAuth 2.0 authorization flows
• Add endpoints for authorization URL generation (/auth/authorize)
• Add callback endpoint for authorization code exchange (/auth/callback)
• Support token refresh for long-lived sessions
• Secure token storage per user session

2. HTTP/SSE Transport Support

• Replace hardcoded stdio transport with configurable options
• Implement HTTP + Server-Sent Events transport
• Add REST API endpoints for MCP protocol over HTTP
• Support both stdio (local) and http (remote) transport modes

3. Session Management

• Implement user session tracking and isolation
• Add middleware for user authentication/authorization
• Support JWT tokens or session cookies for user identification
• Add session cleanup and timeout mechanisms

4. Multi-Tenant Architecture

• Refactor global BoxContext to per-user contexts
• Implement user-specific Box client instances
• Add proper error handling for authentication failures
• Ensure complete data isolation between users

Benefits

• 🏢 Enterprise Ready: Support multiple users with their own Box accounts
• ☁️ Centralized Deployment: Single server instance serving multiple AI clients
• 🔒 Security: Proper OAuth 2.0 implementation with user consent flows
• 📈 Scalability: HTTP transport enables load balancing and horizontal scaling
• 🔄 Modern Architecture: Aligns with MCP specification best practices
• 🛡️ Isolation: Complete data separation between users

Here is a working implementation of a well working oath flow: https://github.com/LibreChat-AI/spotify-mcp
Also Librechat is working well with such integrations: https://www.librechat.ai/docs/features/mcp#oauth-authentication
Here is oath spec for MCP: https://modelcontextprotocol.io/specification/draft/basic/authorization#authorization-flow

I myself cannot implement it, but I see it as critical for box to work with multiple users to get this flying!