mcp-auth
Verified Safeby rrbemfica
Overview
Implement and secure an MCP (Model Context Protocol) API server using Keycloak OpenID Connect for authentication and authorization with dynamic client registration and token exchange capabilities.
Installation
python server.pyEnvironment Variables
- OIDC_ISSUER_URL
- OIDC_ISSUER_EXTERNAL
- OIDC_CLIENT_ID
- OIDC_AUDIENCE
- RESOURCE_SERVER_URL
- AUTH_ENABLED
Security Notes
Hardcoded default admin credentials ('admin'/'admin') are present in `docker-compose.yml` and `setup_keycloak.py` for initial Keycloak setup. Keycloak is configured with `KC_HOSTNAME_STRICT: "false"` and `KC_HTTP_ENABLED: "true"` in `docker-compose.yml`, relaxing hostname validation and enabling HTTP for development, which could pose risks if deployed directly to production. The setup instructions recommend disabling Keycloak's "Trusted Hosts" client registration policy, further relaxing security for dynamic client registration. A hardcoded client secret (`PLOs4j6ti521kb5ZVVVwi5GWi9eDYTwq`) is present in `keycloak-standalone/config.json` for the `echo-mcp-server` client. Test user credentials (`mcp-admin: admin123`, `mcp-user: user123`, `mcp-readonly: readonly123`) are hardcoded in `config.json`. Environment variables for OIDC configuration in `server.py` have hardcoded defaults, requiring explicit override for production.
Similar Servers
example-remote-server
A reference server demonstrating all Model Context Protocol (MCP) features and OAuth 2.0 authentication patterns.
sagemcp
A scalable platform for hosting Multi-tenant Model Context Protocol (MCP) servers with multi-tenant support, OAuth integration, and connector plugins for various services.
oauth-mcp-proxy
OAuth 2.1 authentication library for Go MCP servers, supporting both mark3labs and official SDKs for token validation and caching.
keycloak-mcp
Manages Keycloak users, realms, clients, roles, and groups through a standardized Model Context Protocol (MCP) interface for AI agents.