Skip to content

wso2/open-mcp-auth-proxy

BranchesTags

Repository files navigation

Open MCP Auth Proxy

A lightweight authorization proxy for Model Context Protocol (MCP) servers that enforces authorization according to the MCP authorization specification.

Architecture Diagram

What it Does

Open MCP Auth Proxy sits between MCP clients and your MCP server to:

  • Intercept incoming requests
  • Validate authorization tokens
  • Offload authentication and authorization to OAuth-compliant Identity Providers
  • Support the MCP authorization protocol

Quick Start

Prerequisites

  • Go 1.20 or higher
  • A running MCP server
  • An MCP client that supports MCP authorization

Installation

git clone https://github.com/wso2/open-mcp-auth-proxy
cd open-mcp-auth-proxy
go get github.com/golang-jwt/jwt/v4 gopkg.in/yaml.v2
go build -o openmcpauthproxy ./cmd/proxy

Basic Usage

  1. The repository comes with a default config.yaml file that contains the basic configuration:
listen_port: 8080
base_url: "http://localhost:8000"  # Your MCP server URL
paths:
  sse: "/sse"
  messages: "/messages/"
  1. Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox):
./openmcpauthproxy --demo
  1. Connect using an MCP client like MCP Inspector(This is a temporary fork with fixes for authentication issues in the original implementation)

Identity Provider Integration

Demo Mode

For quick testing, use the --demo flag which includes pre-configured authentication and authorization with an Asgardeo sandbox.

./openmcpauthproxy --demo

Asgardeo Integration

To enable authorization through your own Asgardeo organization:

  1. Register and create an organization in Asgardeo
  2. Create an M2M application
    1. Authorize this application to invoke "Application Management API" with the internal_application_mgt_create scope image
    2. Update the existing config.yaml with your Asgardeo details:

Configure the Auth Proxy

Create a configuration file config.yaml with the following parameters:

base_url: "http://localhost:8000"  # URL of your MCP server  
listen_port: 8080                             # Address where the proxy will listen

asgardeo:                                     
  org_name: "<org_name>"                      # Your Asgardeo org name
  client_id: "<client_id>"                    # Client ID of the M2M app
  client_secret: "<client_secret>"            # Client secret of the M2M app
  1. Start the proxy with Asgardeo integration:
./openmcpauthproxy --asgardeo

Other OAuth Providers

Testing with an Example MCP Server

If you don't have an MCP server, you can use the included example:

  1. Navigate to the resources directory
  2. Set up a Python environment:
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
  1. Start the example server:
python3 echo_server.py

Advanced Configuration

Transport Modes

The proxy supports two transport modes:

  • SSE Mode (Default): For Server-Sent Events transport
  • stdio Mode: For MCP servers that use stdio transport

When using stdio mode, the proxy:

  • Starts an MCP server as a subprocess using the command specified in the configuration
  • Communicates with the subprocess through standard input/output (stdio)
  • Note: Any commands specified (like npx in the example below) must be installed on your system first

To use stdio mode:

./openmcpauthproxy --demo --stdio

Example: Running an MCP Server as a Subprocess

  1. Configure stdio mode in your config.yaml:
listen_port: 8080
base_url: "http://localhost:8000" 

stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Example using a GitHub MCP server
  env:                           # Environment variables (optional)
    - "GITHUB_PERSONAL_ACCESS_TOKEN=gitPAT"

# CORS configuration
cors:
  allowed_origins:
    - "http://localhost:5173"  # Origin of your client application
  allowed_methods:
    - "GET"
    - "POST"
    - "PUT"
    - "DELETE"
  allowed_headers:
    - "Authorization"
    - "Content-Type"
  allow_credentials: true

# Demo configuration for Asgardeo
demo:
  org_name: "openmcpauthdemo"
  client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
  client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"
  1. Run the proxy with stdio mode:
./openmcpauthproxy --demo

The proxy will:

  • Start the MCP server as a subprocess using the specified command
  • Handle all authorization requirements
  • Forward messages between clients and the server

Complete Configuration Reference

# Common configuration
listen_port: 8080
base_url: "http://localhost:8000"
port: 8000

# Path configuration
paths:
  sse: "/sse"
  messages: "/messages/"

# Transport mode
transport_mode: "sse"  # Options: "sse" or "stdio"

# stdio-specific configuration (used only in stdio mode)
stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Command to start the MCP server (requires npx to be installed)
  work_dir: ""  # Optional working directory for the subprocess

# CORS configuration
cors:
  allowed_origins:
    - "http://localhost:5173"
  allowed_methods:
    - "GET"
    - "POST"
    - "PUT"
    - "DELETE"
  allowed_headers:
    - "Authorization"
    - "Content-Type"
  allow_credentials: true

# Demo configuration for Asgardeo
demo:
  org_name: "openmcpauthdemo"
  client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
  client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"  

# Asgardeo configuration (used with --asgardeo flag)
asgardeo:
  org_name: "<org_name>"
  client_id: "<client_id>"
  client_secret: "<client_secret>"

About

Authentication and Authorization Proxy for MCP Servers

Topics

ballerina natural-programming

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

18 stars

Watchers

44 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages