mcp-oidc-nx-poc
Verified Safeby adem-hassine
Overview
Demonstrates a Keycloak-protected Model Context Protocol (MCP) server for OIDC-based authentication and authorization of various backend tools.
Installation
npx nx serve mcp-server --verboseEnvironment Variables
- PORT
- RESOURCE_SERVER_URL
- KEYCLOAK_ISSUER
- EXPECTED_AUDIENCE
- MATH_ROLE
- CORS_ORIGINS
- CORS_ORIGIN
- VITE_API_BASE_URL
- VITE_AUTH_METADATA_URL
- VITE_AUTH_AUTHORIZATION_ENDPOINT
- VITE_AUTH_TOKEN_ENDPOINT
- VITE_AUTH_CLIENT_ID
- VITE_AUTH_REDIRECT_URI
- VITE_AUTH_DEFAULT_SCOPES
- VITE_AUTH_RESOURCE_INDICATOR
- VITE_AUTH_ISSUER
- VITE_AUTH_LOGOUT_REDIRECT_URI
Security Notes
The server uses `jose` for JWT verification and implements role/scope-based authorization, with `zod` for input validation, which are good practices. CORS is configurable. The `execSync` import in `AppController.ts` is present but not used in the provided code, which could be a risk if activated without care. Development Keycloak credentials (`admin`/`admin`) and empty MySQL password are used in `docker-compose.yml`, explicitly noted as needing hardening for production.
Similar Servers
example-remote-server
A reference server demonstrating all Model Context Protocol (MCP) features and OAuth 2.0 authentication patterns.
sagemcp
A scalable platform for hosting Multi-tenant Model Context Protocol (MCP) servers with multi-tenant support, OAuth integration, and connector plugins for various services.
keycloak-mcp
Manages Keycloak users, realms, clients, roles, and groups through a standardized Model Context Protocol (MCP) interface for AI agents.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.