basic-mcp-server
A demonstration MCP server using FastMCP and streamable-http transport. It provides tools like weather and Kusto queries, secured by Microsoft Entra ID OAuth.
README
MCP Server Demo
A demonstration Model Context Protocol (MCP) server
built with FastMCP. It exposes a small set of tools, resources, and prompts over the
streamable-http transport and secures every request with Microsoft Entra ID (OAuth 2.0).
The server is designed to run both locally (developer machine) and in Azure (App Service / Container Apps), and it can call downstream Azure services such as Azure Data Explorer (Kusto) as the calling user using the On-Behalf-Of (OBO) flow backed by a federated managed identity.
What this project does
At a high level, the server lets an MCP client (e.g. VS Code + GitHub Copilot in agent mode) discover and invoke server-side capabilities after the user signs in with their Microsoft Entra account:
- Tools — callable functions the model can invoke:
get_weather(location)— current weather for a city/place via the public Open-Meteo API.get_ip_address()— the server's public IP via ipify.execute_kql(query, cluster?, database?)— runs a Kusto (KQL) query against Azure Data Explorer and returns JSON. Enforces a 1000-row safety cap and runs the query under the caller's identity when Azure-hosted (OBO).add(a, b)— trivial example tool.long_running_task(task_name, steps)— demonstrates progress reporting via the MCPContext.
- Resource —
greeting://{name}returns a personalized greeting (dynamic resource template). - Prompt —
greet_user(name, style)returns a reusable greeting prompt. - Routes —
/mcp(the MCP endpoint) plus a public/readmeHTML route and the OAuth discovery endpoint/.well-known/oauth-protected-resource.
Architecture
Component layout
main.py # Server entry point: builds FastMCP, wires auth, registers tools, serves via uvicorn
client.py # Demo MCP client (acquires a token with DefaultAzureCredential, calls the server)
auth/
authCheck.py # EntraTokenVerifier: validates incoming JWTs (signature, issuer, audience, scope/role)
tools/
weather.py # register_weather_tools -> get_weather
findIP.py # register_ip_tools -> get_ip_address
executeKQL.py # register_kql_tools -> execute_kql (OBO + federated managed identity)
GoogleCalendar.py # Standalone Google Calendar experiment (not wired into the MCP server)
AUTH.md # Deep-dive on the Entra ID OAuth setup and gotchas
pyproject.toml / # Dependencies (mcp[cli], azure-identity, azure-kusto-data, pyjwt[crypto], starlette, uvicorn, ...)
requirements.txt
Request flow
sequenceDiagram
actor User
participant Client as MCP Client (VS Code / client.py)
participant Entra as Microsoft Entra ID
participant Server as FastMCP Server (/mcp)
participant Verifier as EntraTokenVerifier
participant Kusto as Azure Data Explorer
Client->>Server: GET /.well-known/oauth-protected-resource
Server-->>Client: issuer + scopes_supported (api://<app>/mcp.access)
Client->>Entra: Request token for api://<app>/mcp.access
Entra->>User: Sign in / consent
Entra-->>Client: Access token (aud = API, scp = mcp.access)
Client->>Server: MCP request + Bearer token
Server->>Verifier: verify_token(token)
Verifier->>Entra: Fetch JWKS signing keys (cached)
Verifier-->>Server: AccessToken (valid) or reject (401/403)
Server->>Kusto: execute_kql via OBO (run as caller, Azure-hosted)
Kusto-->>Server: Result rows
Server-->>Client: Tool result
Key design points
- FastMCP + streamable-http. OAuth requires the
streamable-httptransport (stdiocannot do OAuth). The server is built in main.py and served byuvicornon0.0.0.0, readingPORTfrom the environment (App Service injects it). - Modular tool registration. Each tool group lives in its own module under
tools/ and exposes a
register_*_tools(mcp)function, keepingmain.pythin and tools independently testable. - Per-user downstream calls (OBO). tools/executeKQL.py
reads the caller's validated token via
get_access_token()and, when running in Azure, exchanges it through anOnBehalfOfCredentialwhose client assertion is a federated managed identity (no secret/cert). Locally it falls back toAzureCliCredential(az login) then interactive browser sign-in. - Safety guardrails.
execute_kqlrefuses to return result sets larger thanMAX_ROWS(1000) and asks the caller to aggregate or filter instead.
Authentication (brief)
Authentication is implemented with Microsoft Entra ID using OAuth 2.0 bearer tokens. Full details and troubleshooting live in AUTH.md; the essentials:
-
Server advertises a protected resource.
AuthSettingsin main.py publishes the issuer (https://login.microsoftonline.com/<tenant>/v2.0) and the fully-qualified required scopeapi://<api-app-id>/mcp.access. The scope must be fully-qualified — a baremcp.accessis interpreted by Entra as a Microsoft Graph scope and fails withAADSTS65002. -
Token validation happens in
EntraTokenVerifier(auth/authCheck.py) for every request:- Verifies the JWT signature against Entra's JWKS keys (
PyJWKClient, RS256). - Accepts both v1 (
sts.windows.net/<tid>/) and v2 (login.microsoftonline.com/<tid>/v2.0) issuers. - Accepts both audience forms:
api://<guid>and the bare<guid>. - Authorizes either a delegated user (
mcp.accessin thescpclaim) or an app-only caller (mcpaccess.appin therolesclaim, e.g. a managed identity). - Re-adds the fully-qualified scope to the returned
AccessToken.scopesso the MCP bearer middleware'srequired_scopescheck passes.
- Verifies the JWT signature against Entra's JWKS keys (
-
Client sign-in options:
- VS Code native sign-in — VS Code reads the discovery endpoint and acquires a token through its built-in Microsoft auth provider; no token handling code needed.
- Manual bearer token —
az account get-access-token --scope "api://<app>/.default"and paste it into.vscode/mcp.jsonas anAuthorizationheader. - Programmatic — client.py uses
DefaultAzureCredential(az loginlocally, managed identity in Azure).
One-time Entra setup (app registration, Expose an API, and pre-authorizing the VS Code and Azure CLI first-party client IDs) is documented in AUTH.md.
Running locally
-
Create a
.envfile with your Entra values:ENTRA_TENANT_ID=<your-tenant-id> ENTRA_AUDIENCE=api://<api-app-id> ENTRA_CLIENT_ID=<client-app-id> # Optional, used by execute_kql: KUSTO_CLUSTER=https://<cluster>.kusto.windows.net KUSTO_DATABASE=<database> # Set when deployed: # RESOURCE_SERVER_URL=https://<app>.azurewebsites.net -
Install dependencies and start the server:
pip install -r requirements.txt python main.pyThe MCP endpoint is served at
http://localhost:8000/mcp. -
Verify the advertised OAuth metadata:
curl.exe -s http://localhost:8000/.well-known/oauth-protected-resource -
(Optional) Exercise the server with the demo client:
az login --tenant <your-tenant-id> python client.py
Notes
main.pyincludes verboseprintstatements that are useful for learning/debugging the auth flow; replace them with structured logging for production use.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.