open-mcp-auth-proxy

Open MCP Auth Proxy

A lightweight authorization proxy for Model Context Protocol (MCP) servers that enforces authorization according to the MCP authorization specification

🚀 Features

• Dynamic Authorization: based on MCP Authorization Specification.
• JWT Validation: Validates the token’s signature, checks the audience claim, and enforces scope requirements.
• Identity Provider Integration: Supports integrating any OAuth/OIDC provider such as Asgardeo, Auth0, Keycloak, etc.
• Protocol Version Negotiation: via MCP-Protocol-Version header.
• Flexible Transport Modes: Supports STDIO, SSE and streamable HTTP transport options.

🛠️ Quick Start

Prerequisites

• A running MCP server (Use the example MCP server if you don't have an MCP server already)
• An MCP client that supports MCP authorization specification

1. Download the latest release from Github releases.

2. Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox):

• Linux/macOS:

./openmcpauthproxy --demo

• Windows:

.\openmcpauthproxy.exe --demo

3. Connect using an MCP client like MCP Inspector.

🔒 Integrate an Identity Provider

Asgardeo

To enable authorization through your Asgardeo organization:

1. Register and create an organization in Asgardeo

2. Create an M2M application

3. Authorize this application to invoke "Application Management API" with the internal_application_mgt_create scope
   

4. Update config.yaml with the following parameters.

base_url: "http://localhost:8000"                              # URL of your MCP server  
listen_port: 8080                                              # Address where the proxy will listen

resource_identifier: "http://localhost:8080"                 # Proxy server URL
scopes_supported:                                            # Scopes required to defined for the MCP server
- "read:tools"
- "read:resources"
audience: "<audience_value>"                                 # Access token audience
authorization_servers:                                       # Authorization server issuer identifier(s)
- "https://api.asgardeo.io/t/acme"
jwks_uri: "https://api.asgardeo.io/t/acme/oauth2/jwks"       # JWKS URL

5. Start the proxy with Asgardeo integration:

./openmcpauthproxy --asgardeo

Other OAuth Providers

• Auth0
• Keycloak

Transport Modes

STDIO Mode

When using stdio mode, the proxy:

• Starts an MCP server as a subprocess using the command specified in the configuration
• Communicates with the subprocess through standard input/output (stdio)

Note: Any commands specified (like npx in the example below) must be installed on your system first

1. Configure stdio mode in your config.yaml:

stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Example using a GitHub MCP server
  env:                           # Environment variables (optional)
    - "GITHUB_PERSONAL_ACCESS_TOKEN=gitPAT"    

2. Run the proxy with stdio mode:

./openmcpauthproxy --demo

• SSE Mode (Default): For Server-Sent Events transport
• Streamable HTTP Mode: For Streamable HTTP transport

Available Command Line Options

# Start in demo mode (using Asgardeo sandbox)
./openmcpauthproxy --demo

# Start with your own Asgardeo organization
./openmcpauthproxy --asgardeo

# Use stdio transport mode instead of SSE
./openmcpauthproxy --demo --stdio

# Enable debug logging
./openmcpauthproxy --demo --debug

# Show all available options
./openmcpauthproxy --help

Contributing

We appreciate your contributions, whether it is improving documentation, adding new features, or fixing bugs. To get started, please refer to our contributing guide.