phoenix-oss/open-mcp-auth-proxy-upstream
0
0
Fork 1
mirror of https://github.com/wso2/open-mcp-auth-proxy.git synced 2025-06-27 17:13:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Readme

Browse source 
* Update README.md
---------

Co-authored-by: Omindu Rathnaweera <omindu.dishan@gmail.com>
This commit is contained in:
Ayesha Dissanayaka 2025-04-03 12:15:05 +05:30 committed by GitHub
parent 9f5fc69fb6
commit 6c5eda0091
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 130 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

158
README.md
View file

@ -1,81 +1,131 @@
# open-mcp-auth-proxy # Open MCP Auth Proxy
## Overview The Open MCP Auth Proxy is a lightweight proxy designed to sit in front of MCP servers and enforce authorization in compliance with the [Model Context Protocol authorization](https://spec.modelcontextprotocol.io/specification/2025-03-26/basic/authorization/) requirements. It intercepts incoming requests, validates tokens, and offloads authentication and authorization to an OAuth-compliant Identity Provider.
OpenMCPAuthProxy is a security middleware that implements the Model Context Protocol (MCP) Authorization Specification (2025-03-26). It functions as a proxy between clients and MCP servers, providing robust authentication and authorization capabilities. The proxy intercepts incoming requests, validates authentication tokens, and forwards only authorized requests to the underlying MCP server, enhancing the security posture of your MCP deployment. ![image](https://github.com/user-attachments/assets/fc728670-2fdb-4a63-bcc4-b9b6a6c8b4ba)
## Setup and Installation ## **Setup and Installation**
### Prerequisites ### **Prerequisites**
- Go 1.20 or higher
- A running MCP server (SSE transport supported) * Go 1.20 or higher
* A running MCP server (SSE transport supported)
* An MCP client that supports MCP authorization
### **Installation**
### Installation
```bash ```bash
git clone https://github.com/wso2/open-mcp-auth-proxy git clone https://github.com/wso2/open-mcp-auth-proxy
cd open-mcp-auth-proxy cd open-mcp-auth-proxy
go build -o openmcpauthproxy ./cmd/proxy go build -o openmcpauthproxy ./cmd/proxy
``` ```
## Configuration ## Using Open MCP Auth Proxy
Create a configuration file `config.yaml` with the following parameters: ### Quick Start
Allows you to just enable authentication and authorization for your MCP server with the preconfigured auth provider powered by Asgardeo.
If you dont have an MCP server, follow the instructions given here to start your own MCP server for testing purposes.
1. Download [sample MCP server](resources/echo_server.py)
2. Run the server with
```bash
python3 echo_server.py
```
#### Configure the Auth Proxy
Create a configuration file config.yaml with the following parameters:
```yaml ```yaml
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen listen_address: ":8080" # Address where the proxy will listen
``` ```
## Usage Example #### Start the Auth Proxy
### 1. Start the MCP Server
Create a file named `echo_server.py`:
```python
from mcp.server.fastmcp import FastMCP
mcp = FastMCP("Echo")
@mcp.resource("echo://{message}")
def echo_resource(message: str) -> str:
"""Echo a message as a resource"""
return f"Resource echo: {message}"
@mcp.tool()
def echo_tool(message: str) -> str:
"""Echo a message as a tool"""
return f"Tool echo: {message}"
@mcp.prompt()
def echo_prompt(message: str) -> str:
"""Create an echo prompt"""
return f"Please process this message: {message}"
if __name__ == "__main__":
mcp.run(transport="sse")
```
Run the server:
```bash
python3 echo_server.py
```
### 2. Start the Auth Proxy
```bash ```bash
./openmcpauthproxy --demo ./openmcpauthproxy --demo
``` ```
The `--demo` flag enables a demonstration mode with pre-configured authentication with [Asgardeo](https://asgardeo.io/). The `--demo` flag enables a demonstration mode with pre-configured authentication and authorization with a sandbox powered by [Asgardeo](https://asgardeo.io/).
### 3. Connect Using an MCP Client #### Connect Using an MCP Client
You can use the [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to test the connection: You can use the [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to test the connection and try out the complete authorization flow.
## Contributing ### Use with Asgardeo
Contributions are welcome! Please feel free to submit a Pull Request. Enable authorization for the MCP server through your own Asgardeo organization
1. [Register]([url](https://asgardeo.io/signup)) and create an organization in Asgardeo
2. Now, you need to authorize the OpenMCPAuthProxy to allow dynamically registering MCP Clients as applications in your organization. To do that,
1. Create an [M2M application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/)
1. [Authorize this application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/#authorize-the-api-resources-for-the-app) to invoke “Application Management API” with the `internal_application_mgt_create` scope.
![image](https://github.com/user-attachments/assets/0bd57cac-1904-48cc-b7aa-0530224bc41a)
2. Note the **Client ID** and **Client secret** of this application. This is required by the auth proxy
#### Configure the Auth Proxy
Create a configuration file config.yaml with the following parameters:
```yaml
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
asgardeo:
org_name: "<org_name>" # Your Asgardeo org name
client_id: "<client_id>" # Client ID of the M2M app
client_secret: "<client_secret>" # Client secret of the M2M app
```
#### Start the Auth Proxy
```bash
./openmcpauthproxy --asgardeo
```
### Use with Auth0
Enable authorization for the MCP server through your Auth0 organization
**TODO**: Add instructions
[Enable dynamic application registration](https://auth0.com/docs/get-started/applications/dynamic-client-registration#enable-dynamic-client-registration) in your Auth0 organization
#### Configure the Auth Proxy
Create a configuration file config.yaml with the following parameters:
```yaml
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
```
**TODO**: Update the configs for Auth0.
#### Start the Auth Proxy
```bash
./openmcpauthproxy --auth0
```
### Use with a standard OAuth Server
Enable authorization for the MCP server with a compliant OAuth server
#### Configuration
Create a configuration file config.yaml with the following parameters:
```yaml
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
```
**TODO**: Update the configs for a standard OAuth Server.
#### Start the Auth Proxy
```bash
./openmcpauthproxy
```

24
resources/echo_server.py Normal file
View file

@ -0,0 +1,24 @@
from mcp.server.fastmcp import FastMCP
mcp = FastMCP("Echo")
@mcp.resource("echo://{message}")
def echo_resource(message: str) -> str:
"""Echo a message as a resource"""
return f"Resource echo: {message}"
@mcp.tool()
def echo_tool(message: str) -> str:
"""Echo a message as a tool"""
return f"Tool echo: {message}"
@mcp.prompt()
def echo_prompt(message: str) -> str:
"""Create an echo prompt"""
return f"Please process this message: {message}"
if __name__ == "__main__":
mcp.run(transport="sse")