From 6c5eda00910f05c45a3a838c753ad0f6cf37d92e Mon Sep 17 00:00:00 2001 From: Ayesha Dissanayaka Date: Thu, 3 Apr 2025 12:15:05 +0530 Subject: [PATCH 1/3] Update Readme * Update README.md --------- Co-authored-by: Omindu Rathnaweera --- README.md | 162 +++++++++++++++++++++++++-------------- resources/echo_server.py | 24 ++++++ 2 files changed, 130 insertions(+), 56 deletions(-) create mode 100644 resources/echo_server.py diff --git a/README.md b/README.md index c13d162..feac64c 100644 --- a/README.md +++ b/README.md @@ -1,81 +1,131 @@ -# open-mcp-auth-proxy +# Open MCP Auth Proxy -## Overview +The Open MCP Auth Proxy is a lightweight proxy designed to sit in front of MCP servers and enforce authorization in compliance with the [Model Context Protocol authorization](https://spec.modelcontextprotocol.io/specification/2025-03-26/basic/authorization/) requirements. It intercepts incoming requests, validates tokens, and offloads authentication and authorization to an OAuth-compliant Identity Provider. -OpenMCPAuthProxy is a security middleware that implements the Model Context Protocol (MCP) Authorization Specification (2025-03-26). It functions as a proxy between clients and MCP servers, providing robust authentication and authorization capabilities. The proxy intercepts incoming requests, validates authentication tokens, and forwards only authorized requests to the underlying MCP server, enhancing the security posture of your MCP deployment. +![image](https://github.com/user-attachments/assets/fc728670-2fdb-4a63-bcc4-b9b6a6c8b4ba) -## Setup and Installation +## **Setup and Installation** -### Prerequisites -- Go 1.20 or higher -- A running MCP server (SSE transport supported) +### **Prerequisites** + +* Go 1.20 or higher +* A running MCP server (SSE transport supported) +* An MCP client that supports MCP authorization + +### **Installation** -### Installation ```bash -git clone https://github.com/wso2/open-mcp-auth-proxy -cd open-mcp-auth-proxy +git clone https://github.com/wso2/open-mcp-auth-proxy +cd open-mcp-auth-proxy go build -o openmcpauthproxy ./cmd/proxy ``` -## Configuration +## Using Open MCP Auth Proxy -Create a configuration file `config.yaml` with the following parameters: +### Quick Start -```yaml -mcp_server_base_url: "http://localhost:8000" # URL of your MCP server -listen_address: ":8080" # Address where the proxy will listen -``` +Allows you to just enable authentication and authorization for your MCP server with the preconfigured auth provider powered by Asgardeo. -## Usage Example - -### 1. Start the MCP Server - -Create a file named `echo_server.py`: - -```python -from mcp.server.fastmcp import FastMCP - -mcp = FastMCP("Echo") - - -@mcp.resource("echo://{message}") -def echo_resource(message: str) -> str: - """Echo a message as a resource""" - return f"Resource echo: {message}" - - -@mcp.tool() -def echo_tool(message: str) -> str: - """Echo a message as a tool""" - return f"Tool echo: {message}" - - -@mcp.prompt() -def echo_prompt(message: str) -> str: - """Create an echo prompt""" - return f"Please process this message: {message}" - -if __name__ == "__main__": - mcp.run(transport="sse") -``` - -Run the server: +If you don’t have an MCP server, follow the instructions given here to start your own MCP server for testing purposes. +1. Download [sample MCP server](resources/echo_server.py) +2. Run the server with ```bash python3 echo_server.py ``` -### 2. Start the Auth Proxy +#### Configure the Auth Proxy + +Create a configuration file config.yaml with the following parameters: + +```yaml +mcp_server_base_url: "http://localhost:8000" # URL of your MCP server +listen_address: ":8080" # Address where the proxy will listen +``` + +#### Start the Auth Proxy ```bash ./openmcpauthproxy --demo ``` -The `--demo` flag enables a demonstration mode with pre-configured authentication with [Asgardeo](https://asgardeo.io/). +The `--demo` flag enables a demonstration mode with pre-configured authentication and authorization with a sandbox powered by [Asgardeo](https://asgardeo.io/). -### 3. Connect Using an MCP Client +#### Connect Using an MCP Client -You can use the [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to test the connection: +You can use the [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to test the connection and try out the complete authorization flow. -## Contributing +### Use with Asgardeo -Contributions are welcome! Please feel free to submit a Pull Request. +Enable authorization for the MCP server through your own Asgardeo organization + +1. [Register]([url](https://asgardeo.io/signup)) and create an organization in Asgardeo +2. Now, you need to authorize the OpenMCPAuthProxy to allow dynamically registering MCP Clients as applications in your organization. To do that, + 1. Create an [M2M application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/) + 1. [Authorize this application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/#authorize-the-api-resources-for-the-app) to invoke “Application Management API” with the `internal_application_mgt_create` scope. + ![image](https://github.com/user-attachments/assets/0bd57cac-1904-48cc-b7aa-0530224bc41a) + 2. Note the **Client ID** and **Client secret** of this application. This is required by the auth proxy + +#### Configure the Auth Proxy + +Create a configuration file config.yaml with the following parameters: + +```yaml +mcp_server_base_url: "http://localhost:8000" # URL of your MCP server +listen_address: ":8080" # Address where the proxy will listen + +asgardeo: + org_name: "" # Your Asgardeo org name + client_id: "" # Client ID of the M2M app + client_secret: "" # Client secret of the M2M app +``` + +#### Start the Auth Proxy + +```bash +./openmcpauthproxy --asgardeo +``` + +### Use with Auth0 + +Enable authorization for the MCP server through your Auth0 organization + +**TODO**: Add instructions + +[Enable dynamic application registration](https://auth0.com/docs/get-started/applications/dynamic-client-registration#enable-dynamic-client-registration) in your Auth0 organization + +#### Configure the Auth Proxy + +Create a configuration file config.yaml with the following parameters: + +```yaml +mcp_server_base_url: "http://localhost:8000" # URL of your MCP server +listen_address: ":8080" # Address where the proxy will listen +``` + +**TODO**: Update the configs for Auth0. + +#### Start the Auth Proxy + +```bash +./openmcpauthproxy --auth0 +``` + +### Use with a standard OAuth Server + +Enable authorization for the MCP server with a compliant OAuth server + +#### Configuration + +Create a configuration file config.yaml with the following parameters: + +```yaml +mcp_server_base_url: "http://localhost:8000" # URL of your MCP server +listen_address: ":8080" # Address where the proxy will listen +``` +**TODO**: Update the configs for a standard OAuth Server. + +#### Start the Auth Proxy + +```bash +./openmcpauthproxy +``` diff --git a/resources/echo_server.py b/resources/echo_server.py new file mode 100644 index 0000000..889bcc7 --- /dev/null +++ b/resources/echo_server.py @@ -0,0 +1,24 @@ +from mcp.server.fastmcp import FastMCP + +mcp = FastMCP("Echo") + + +@mcp.resource("echo://{message}") +def echo_resource(message: str) -> str: + """Echo a message as a resource""" + return f"Resource echo: {message}" + + +@mcp.tool() +def echo_tool(message: str) -> str: + """Echo a message as a tool""" + return f"Tool echo: {message}" + + +@mcp.prompt() +def echo_prompt(message: str) -> str: + """Create an echo prompt""" + return f"Please process this message: {message}" + +if __name__ == "__main__": + mcp.run(transport="sse") From ec6b40bdab3d07c09ba9473bd5b84655dd4a16f1 Mon Sep 17 00:00:00 2001 From: Pavindu Lakshan Date: Thu, 3 Apr 2025 13:50:38 +0530 Subject: [PATCH 2/3] Add package install instructions --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index feac64c..b2fb23c 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,10 @@ The Open MCP Auth Proxy is a lightweight proxy designed to sit in front of MCP s ```bash git clone https://github.com/wso2/open-mcp-auth-proxy cd open-mcp-auth-proxy + +go get github.com/golang-jwt/jwt/v4 +go get gopkg.in/yaml.v2 + go build -o openmcpauthproxy ./cmd/proxy ``` @@ -35,7 +39,7 @@ python3 echo_server.py #### Configure the Auth Proxy -Create a configuration file config.yaml with the following parameters: +Update the following parameters in `config.yaml`. ```yaml mcp_server_base_url: "http://localhost:8000" # URL of your MCP server From 0a2019a6a9dd82738da467beb32fdfe58a0413c2 Mon Sep 17 00:00:00 2001 From: Ayesha Dissanayaka Date: Thu, 3 Apr 2025 13:57:26 +0530 Subject: [PATCH 3/3] Link integration with existing OAuth providers (#6) --- README.md | 30 ++++-------------------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index b2fb23c..b587878 100644 --- a/README.md +++ b/README.md @@ -89,32 +89,7 @@ asgardeo: ./openmcpauthproxy --asgardeo ``` -### Use with Auth0 - -Enable authorization for the MCP server through your Auth0 organization - -**TODO**: Add instructions - -[Enable dynamic application registration](https://auth0.com/docs/get-started/applications/dynamic-client-registration#enable-dynamic-client-registration) in your Auth0 organization - -#### Configure the Auth Proxy - -Create a configuration file config.yaml with the following parameters: - -```yaml -mcp_server_base_url: "http://localhost:8000" # URL of your MCP server -listen_address: ":8080" # Address where the proxy will listen -``` - -**TODO**: Update the configs for Auth0. - -#### Start the Auth Proxy - -```bash -./openmcpauthproxy --auth0 -``` - -### Use with a standard OAuth Server +### Use with any standard OAuth Server Enable authorization for the MCP server with a compliant OAuth server @@ -133,3 +108,6 @@ listen_address: ":8080" # Address where the proxy will lis ```bash ./openmcpauthproxy ``` +#### Integrating with existing OAuth Providers + + - [Auth0](URL) - Enable authorization for the MCP server through your Auth0 organization. **TODO**: Add instructions under docs and link