MCP Auth Server

MCP Auth Server

A Model Context Protocol (MCP) server with HTTP transport that implements JWT authentication, allowing secure tool execution and prompt handling with role-based access control.

Category
Visit Server

README

MCP Auth Step by Step

This repository demonstrates building an MCP (Model Context Protocol) server with HTTP transport and JWT authentication, progressing through iterative steps.

Overview

The project shows how to build a secure MCP server with:

  • FastAPI-based HTTP transport
  • JWT token authentication
  • OAuth 2.0 metadata endpoints
  • Scope-based authorization
  • Role-based access control

Step-by-Step Progression

Step 1: Basic FastAPI Skeleton

  • File: http-transport-steps/src/mcp_http/step1.py
  • What it adds: Basic FastAPI application with health endpoint
  • Key features:
    • FastAPI server setup
    • Basic health check endpoint (/health)
    • Foundation for MCP HTTP transport

Step 2: Basic MCP Request Handling

  • File: http-transport-steps/src/mcp_http/step2.py
  • What it adds: MCP protocol request/response handling
  • Key features:
    • MCP request parsing and validation
    • Basic MCP response structure
    • /mcp endpoint for MCP protocol communication
    • JSON-RPC style request handling

Step 3: MCP Tools and Prompts Definitions

  • File: http-transport-steps/src/mcp_http/step3.py
  • What it adds: MCP tools and prompts without dispatching
  • Key features:
    • Tool definitions (echo, get_time)
    • Prompt definitions (greeting, help)
    • MCP protocol compliance for tools and prompts
    • No actual tool execution yet

Step 4: MCP Tools Dispatching

  • File: http-transport-steps/src/mcp_http/step4.py
  • What it adds: Actual tool execution and prompt handling
  • Key features:
    • Tool dispatching and execution
    • Prompt retrieval and handling
    • Working MCP server with functional tools
    • Error handling for invalid requests

Step 5: Basic JWT Infrastructure

  • File: http-transport-steps/src/mcp_http/step5.py
  • What it adds: JWT public key loading and JWKS endpoint
  • Key features:
    • Public key loading from file
    • JWKS (JSON Web Key Set) endpoint (/.well-known/jwks.json)
    • External token generation script (generate_token.py)
    • JWT infrastructure foundation

Step 6: JWT Token Validation

  • File: http-transport-steps/src/mcp_http/step6.py
  • What it adds: JWT authentication middleware and enforcement
  • Key features:
    • JWT token validation middleware
    • Authentication enforcement on /mcp endpoint
    • User context extraction from tokens
    • Proper error responses for invalid/missing tokens

Step 7: OAuth 2.0 Metadata Endpoints

  • File: http-transport-steps/src/mcp_http/step7.py
  • What it adds: OAuth 2.0 metadata for protected resource and authorization server
  • Key features:
    • /.well-known/oauth-protected-resource endpoint
    • /.well-known/oauth-authorization-server endpoint
    • Enhanced health endpoint with OAuth metadata
    • OAuth metadata in MCP responses

Step 8: Scope-Based Authorization

  • File: http-transport-steps/src/mcp_http/step8.py
  • What it adds: Permission checking and role-based access control
  • Key features:
    • check_permission method for scope validation
    • Role-based access control (admin, user, guest)
    • 403 Forbidden responses for insufficient permissions
    • Scope enforcement for MCP operations

Step 9: Enhanced MCP Integration (Planned)

  • What it will add: User context in responses and authenticated tools
  • Planned features:
    • User context in MCP response headers/metadata
    • Authenticated tools with user-aware behavior
    • Enhanced MCP protocol integration
    • Personalized responses based on user identity

JWT Token Structure

The JWT tokens include:

  • User ID: Unique identifier for the user
  • Scopes: Permissions (e.g., mcp:read, mcp:tools, mcp:prompts)
  • Roles: User roles (e.g., admin, user, guest)
  • Expiration: Token validity period

Testing

Each step includes a corresponding test script (test_stepX.sh) that validates:

  • Basic functionality
  • JWT authentication (steps 5+)
  • Authorization (steps 6+)
  • OAuth metadata (steps 7+)
  • Access control (steps 8+)

Usage

Prerequisites

  1. Install uv: https://docs.astral.sh/uv/getting-started/installation/
  2. Navigate to the http-transport-steps directory

Running Steps with uv

# Run any step using uv run
uv run step1
uv run step2
uv run step3
# ... etc

Token Generation

For steps 5-8 that require JWT authentication, you can generate tokens using the generate_token.py script:

uv run python generate_token.py --username alice --scopes mcp:read,mcp:tools
uv run python generate_token.py --username bob --scopes mcp:read,mcp:prompts
uv run python generate_token.py --username admin --scopes mcp:read,mcp:tools,mcp:prompts
uv run python generate_token.py --username guest --scopes ""

Keycloak Token Generation

To quickly get a token for testing step9/keycloak:

curl -X POST "http://localhost:8080/realms/mcp-realm/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=mcp-test-client" \
  -d "username=mcp-admin" \
  -d "password=admin123" \
  -d "scope=openid profile email mcp:read mcp:tools mcp:prompts" | jq -r '.access_token'

The script will output a JWT token that can be used in the Authorization: Bearer <token> header for authenticated requests.

Dependencies

  • FastAPI
  • PyJWT
  • cryptography
  • uvicorn

The project uses uv for dependency management with pyproject.toml configuration.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured