6c5eda0091
* Update README.md --------- Co-authored-by: Omindu Rathnaweera <omindu.dishan@gmail.com> |
||
|---|---|---|
| cmd/proxy | ||
| internal | ||
| resources | ||
| .gitignore | ||
| config.yaml | ||
| go.mod | ||
| issue_template.md | ||
| LICENSE | ||
| pull_request_template.md | ||
| README.md | ||
Open MCP Auth Proxy
The Open MCP Auth Proxy is a lightweight proxy designed to sit in front of MCP servers and enforce authorization in compliance with the Model Context Protocol authorization requirements. It intercepts incoming requests, validates tokens, and offloads authentication and authorization to an OAuth-compliant Identity Provider.
Setup and Installation
Prerequisites
- Go 1.20 or higher
- A running MCP server (SSE transport supported)
- An MCP client that supports MCP authorization
Installation
git clone https://github.com/wso2/open-mcp-auth-proxy
cd open-mcp-auth-proxy
go build -o openmcpauthproxy ./cmd/proxy
Using Open MCP Auth Proxy
Quick Start
Allows you to just enable authentication and authorization for your MCP server with the preconfigured auth provider powered by Asgardeo.
If you don’t have an MCP server, follow the instructions given here to start your own MCP server for testing purposes.
- Download sample MCP server
- Run the server with
python3 echo_server.py
Configure the Auth Proxy
Create a configuration file config.yaml with the following parameters:
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
Start the Auth Proxy
./openmcpauthproxy --demo
The --demo flag enables a demonstration mode with pre-configured authentication and authorization with a sandbox powered by Asgardeo.
Connect Using an MCP Client
You can use the MCP Inspector to test the connection and try out the complete authorization flow.
Use with Asgardeo
Enable authorization for the MCP server through your own Asgardeo organization
- Register and create an organization in Asgardeo
- Now, you need to authorize the OpenMCPAuthProxy to allow dynamically registering MCP Clients as applications in your organization. To do that,
- Create an M2M application
- Authorize this application to invoke “Application Management API” with the
internal_application_mgt_createscope. - Note the Client ID and Client secret of this application. This is required by the auth proxy
- Authorize this application to invoke “Application Management API” with the
- Create an M2M application
Configure the Auth Proxy
Create a configuration file config.yaml with the following parameters:
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
asgardeo:
org_name: "<org_name>" # Your Asgardeo org name
client_id: "<client_id>" # Client ID of the M2M app
client_secret: "<client_secret>" # Client secret of the M2M app
Start the Auth Proxy
./openmcpauthproxy --asgardeo
Use with Auth0
Enable authorization for the MCP server through your Auth0 organization
TODO: Add instructions
Enable dynamic application registration in your Auth0 organization
Configure the Auth Proxy
Create a configuration file config.yaml with the following parameters:
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
TODO: Update the configs for Auth0.
Start the Auth Proxy
./openmcpauthproxy --auth0
Use with a standard OAuth Server
Enable authorization for the MCP server with a compliant OAuth server
Configuration
Create a configuration file config.yaml with the following parameters:
mcp_server_base_url: "http://localhost:8000" # URL of your MCP server
listen_address: ":8080" # Address where the proxy will listen
TODO: Update the configs for a standard OAuth Server.
Start the Auth Proxy
./openmcpauthproxy