From d3909a98dedd732577ec00ed1b822d7e9c9a0d8b Mon Sep 17 00:00:00 2001 From: NipuniBhagya Date: Thu, 15 May 2025 01:32:27 +0530 Subject: [PATCH] Update the README.md file --- README.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index e736e90..1b3793e 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ A lightweight authorization proxy for Model Context Protocol (MCP) servers that ## 🚀 Features -- **Dynamic Authorization** based on MCP Authorization Specification (v1 and v2). +- **Dynamic Authorization** based on MCP Authorization Specification. - **JWT Validation** (signature, audience, and scopes). - **Identity Provider Integration** (OAuth/OIDC via Asgardeo, Auth0, Keycloak). - **Protocol Version Negotiation** via `MCP-Protocol-Version` header. @@ -29,10 +29,10 @@ A lightweight authorization proxy for Model Context Protocol (MCP) servers that ## 📌 MCP Specification Verions -| Version | Date | Behavior | -| :------ | :-------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **v1** | *before* 2025-03-26 | Only signature check of Bearer JWT on both `/sse` and `/message`
No scope or audience enforcement | -| **v2** | *on/after* 2025-03-26 | Read `MCP-Protocol-Version` from client header
SSE handshake returns `WWW-Authenticate: Bearer resource_metadata="…"`
`/message` enforces:
1. `aud` claim == `ResourceIdentifier`
2. `scope` claim contains per-path `requiredScope`
3. PolicyEngine decision
Rich `WWW-Authenticate` on 401s
Serves `/​.well-known/oauth-protected-resource` JSON | +| Version | Behavior | +| :-------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 2025-03-26 | Only signature check of Bearer JWT on both `/sse` and `/message`
No scope or audience enforcement | +| Latest(draft) | Read `MCP-Protocol-Version` from client header
SSE handshake returns `WWW-Authenticate: Bearer resource_metadata="…"`
`/message` enforces:
1. `aud` claim == `ResourceIdentifier`
2. `scope` claim contains per-path `requiredScope`
3. PolicyEngine decision
Rich `WWW-Authenticate` on 401s
Serves `/​.well-known/oauth-protected-resource` JSON | > ⚠️ **Note:** MCP v2 support is available **only in SSE mode**. The stdio mode supports only v1. @@ -106,7 +106,6 @@ asgardeo: client_id: "" # Client ID of the M2M app client_secret: "" # Client secret of the M2M app - # Only required if you are using the latest version of the MCP specification resource_identifier: "http://localhost:8080" # URL of the MCP proxy server authorization_servers: - "https://example.idp.com" # Base URL of the identity provider @@ -245,14 +244,14 @@ asgardeo: org_name: "" client_id: "" client_secret: "" - # Required according to the latest MCP specification resource_identifier: "http://localhost:8080" - scopes_supported: - "/get-alerts": "mcp_proxy" - "/get-forecast": "mcp_proxy" + scopes_supported: # Define the required scopes for the MCP server + "tools": "read:tools" + "resources": "read:resources" + audience: "" authorization_servers: - - "https://dev-3l9-ppfg.us.auth0.com" - jwks_uri: "https://dev-3l9-ppfg.us.auth0.com/.well-known/jwks.json" + - "https://api.asgardeo.io/t/acme" + jwks_uri: "https://api.asgardeo.io/t/acme/oauth2/jwks" bearer_methods_supported: - header - body