OAuth authentication for MCP servers on Cloudflare Workers with Google Sign-In and Dynamic Client Registration.

• Implements dual OAuth role pattern: MCP server acts as both OAuth client (to Google) and OAuth server (to MCP clients like Claude.ai), issuing its own tokens after upstream authentication
• Includes production-ready security: CSRF protection via HttpOnly cookies, one-time-use state tokens with 10-minute TTL, session binding via SHA-256 hashing, and HMAC-signed approval cookies to prevent tampering
• Supports refresh token lifecycle for long-lived sessions (Gmail, Drive, Sheets APIs) with configurable Google scopes via environment variables; handles non-standard two-valid-token rotation strategy
• Prevents 9 documented errors including RFC 8707 audience validation bugs, Claude.ai connection failures, re-auth loops, and production redirect URI mismatches; coexists with Bearer token auth for CLI tools and programmatic access