mcp-shield
by jpinsonneau
Overview
Provides an OAuth proxy for Model Context Protocol (MCP) servers on OpenShift, handling OAuth 2.0 discovery, client registration, token exchange, and enhancing security with a proxy token system.
Installation
docker run -p 8080:8080 -e OAUTH_AUTHORIZATION_SERVERS=https://your-mcp-server.apps.example.com -e INSPECTOR_ORIGIN=https://mcp-inspector.apps.example.com quay.io/<MY_USER>/mcp-shield:devEnvironment Variables
- OAUTH_AUTHORIZATION_SERVERS
- INSPECTOR_ORIGIN
- OAUTH_CLIENT_ID
- OAUTH_REDIRECT_URIS
- OPENSHIFT_OAUTH_TOKEN_URL
- MCP_BACKEND_URL
- MCP_BACKEND_PATH
- PROXY_TOKEN_TTL
Security Notes
The server's HTTP client (`internal/handlers/oauth_token.go`) explicitly disables SSL certificate verification (`InsecureSkipVerify: true`) when communicating with the OpenShift OAuth token endpoint. This critically exposes the system to man-in-the-middle attacks, even if intended for environments with self-signed certificates. Additionally, the `INSPECTOR_ORIGIN` environment variable, used for CORS headers, defaults to '*' (allowing all origins) if not explicitly set. While convenient for development, this is a significant security risk in production, potentially exposing sensitive information or allowing unauthorized cross-origin requests.
Similar Servers
jetski
Jetski is an open-source platform providing analytics, authentication, and simplified client setup for Model Context Protocol (MCP) servers by acting as a proxy.
sagemcp
A scalable platform for hosting Multi-tenant Model Context Protocol (MCP) servers with multi-tenant support, OAuth integration, and connector plugins for various services.
oauth-mcp-proxy
OAuth 2.1 authentication library for Go MCP servers, supporting both mark3labs and official SDKs for token validation and caching.
mcp-server-playground
A playground and reference implementation for a Model Context Protocol (MCP) server, featuring streamable HTTP transport, OAuth proxy for third-party authorization servers like Auth0, and stateful session management.