phoenix-oss/open-mcp-auth-proxy-upstream
0
0
Fork 1
mirror of https://github.com/wso2/open-mcp-auth-proxy.git synced 2025-08-17 11:53:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Authentication and Authorization Proxy for MCP Servers
88 commits 10 branches 4 tags 382 KiB
Find a file
Exact
Pavindu Lakshan 56d969b785
Some checks failed
Go CI / Test (push) Failing after 1m12s
Details
Go CI / Build (push) Successful in 1m47s
Details
Merge pull request #40 from pavinduLakshan/nipuni-new-spec
2025-08-12 14:00:20 +05:30
.github Update release workflow action 2025-06-22 20:52:01 +05:30
cmd/proxy Misc improvements 2025-08-11 16:39:35 +05:30
docs/integrations Improve formatting 2025-04-15 09:12:51 +05:30
internal Fix tests 2025-08-12 07:58:34 +05:30
resources Improve example MCP server 2025-08-11 16:39:46 +05:30
.gitignore Handle spawning subprocess within windows 2025-05-18 16:14:09 +05:30
config.yaml Misc improvements 2025-08-11 16:39:35 +05:30
CONTRIBUTING.md Improve readme 2025-08-06 14:50:20 +05:30
go.mod Add release workflow (#23) 2025-04-18 15:12:32 +05:30
go.sum Add release workflow (#23) 2025-04-18 15:12:32 +05:30
issue_template.md Add Issue Template 2025-04-02 10:47:50 +05:30
LICENSE Initial commit 2025-04-02 10:45:59 +05:30
Makefile Move build from source to the end of readme 2025-05-18 16:44:10 +05:30
pull_request_template.md Remove unnecessary fields from PR template 2025-05-03 01:06:41 +05:30
README.md Improve readme 2025-08-06 14:50:20 +05:30

README.md

Open MCP Auth Proxy

A lightweight authorization proxy for Model Context Protocol (MCP) servers that enforces authorization according to the MCP authorization specification

🚀 Release 💬 Stackoverflow 💬 Discord 🐦 Twitter 📝 License

Architecture Diagram

🚀 Features

  • Dynamic Authorization: based on MCP Authorization Specification.
  • JWT Validation: Validates the tokens signature, checks the audience claim, and enforces scope requirements.
  • Identity Provider Integration: Supports integrating any OAuth/OIDC provider such as Asgardeo, Auth0, Keycloak, etc.
  • Protocol Version Negotiation: via MCP-Protocol-Version header.
  • Flexible Transport Modes: Supports STDIO, SSE and streamable HTTP transport options.

🛠️ Quick Start

Prerequisites

  • A running MCP server (Use the example MCP server if you don't have an MCP server already)
  • An MCP client that supports MCP authorization specification

  1. Download the latest release from Github releases.

  2. Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox):

  • Linux/macOS:
./openmcpauthproxy --demo
  • Windows:
.\openmcpauthproxy.exe --demo
  1. Connect using an MCP client like MCP Inspector.

🔒 Integrate an Identity Provider

Asgardeo

To enable authorization through your Asgardeo organization:

  1. Register and create an organization in Asgardeo

  2. Create an M2M application

  3. Authorize this application to invoke "Application Management API" with the internal_application_mgt_create scope image

  4. Update config.yaml with the following parameters.

base_url: "http://localhost:8000"                              # URL of your MCP server  
listen_port: 8080                                              # Address where the proxy will listen

resource_identifier: "http://localhost:8080"                 # Proxy server URL
scopes_supported:                                            # Scopes required to defined for the MCP server
- "read:tools"
- "read:resources"
audience: "<audience_value>"                                 # Access token audience
authorization_servers:                                       # Authorization server issuer identifier(s)
- "https://api.asgardeo.io/t/acme"
jwks_uri: "https://api.asgardeo.io/t/acme/oauth2/jwks"       # JWKS URL
  1. Start the proxy with Asgardeo integration:
./openmcpauthproxy --asgardeo

Other OAuth Providers

Transport Modes

STDIO Mode

When using stdio mode, the proxy:

  • Starts an MCP server as a subprocess using the command specified in the configuration
  • Communicates with the subprocess through standard input/output (stdio)

Note

: Any commands specified (like npx in the example below) must be installed on your system first

  1. Configure stdio mode in your config.yaml:
stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Example using a GitHub MCP server
  env:                           # Environment variables (optional)
    - "GITHUB_PERSONAL_ACCESS_TOKEN=gitPAT"
  1. Run the proxy with stdio mode:
./openmcpauthproxy --demo
  • SSE Mode (Default): For Server-Sent Events transport
  • Streamable HTTP Mode: For Streamable HTTP transport

Available Command Line Options

# Start in demo mode (using Asgardeo sandbox)
./openmcpauthproxy --demo

# Start with your own Asgardeo organization
./openmcpauthproxy --asgardeo

# Use stdio transport mode instead of SSE
./openmcpauthproxy --demo --stdio

# Enable debug logging
./openmcpauthproxy --demo --debug

# Show all available options
./openmcpauthproxy --help

Contributing

We appreciate your contributions, whether it is improving documentation, adding new features, or fixing bugs. To get started, please refer to our contributing guide.