⚠️ Repository Deprecation Notice

This repository is officially DEPRECATED and has been ARCHIVED.

WSO2 is no longer actively contributing to or maintaining this project.

• No new features will be added.
• No security patches or bug fixes will be provided.
• Issues and Pull Requests have been closed.

Why is this happening?

This solution is being deprecated to focus our efforts on more modern Identity and Access Management (IAM) and MCP (Model Context Protocol) implementations.

What should you do?

If you are currently using this proxy, we recommend:

1. Forking the repository if you need to continue development for your own use cases.
2. Transition to Official WSO2 MCP Support: The capabilities previously explored in this proxy are now being integrated into WSO2’s core identity offerings. We recommend migrating to these officially supported solutions for production use cases:
   • WSO2 Identity Server: See the Agentic AI and MCP Guide for implementing MCP-based identity flows in your own environment.
   • Asgardeo: Follow the End-to-End MCP Authorization Tutorial for cloud-native Agentic IAM implementations.

---

Open MCP Auth Proxy

A lightweight authorization proxy for Model Context Protocol (MCP) servers that enforces authorization according to the MCP authorization specification

🚀 Features

• Dynamic Authorization: based on MCP Authorization Specification.
• JWT Validation: Validates the token’s signature, checks the audience claim, and enforces scope requirements.
• Identity Provider Integration: Supports integrating any OAuth/OIDC provider such as Asgardeo, Auth0, Keycloak, etc.
• Protocol Version Negotiation: via MCP-Protocol-Version header.
• Flexible Transport Modes: Supports STDIO, SSE and streamable HTTP transport options.

🛠️ Quick Start

Prerequisites

• A running MCP server (Use the example MCP server if you don't have an MCP server already)
• An MCP client that supports MCP authorization specification

1. Download the latest release from Github releases.

2. Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox):

• Linux/macOS:

./openmcpauthproxy --demo

• Windows:

.\openmcpauthproxy.exe --demo

3. Connect using an MCP client like MCP Inspector.

🔒 Integrate an Identity Provider

Asgardeo

To enable authorization through your Asgardeo organization:

1. Register and create an organization in Asgardeo

2. Create an M2M application

3. Authorize this application to invoke "Application Management API" with the internal_application_mgt_create scope

4. Update config.yaml with the following parameters.

base_url: "http://localhost:8000"                              # URL of your MCP server  
listen_port: 8080                                              # Address where the proxy will listen

resource_identifier: "http://localhost:8080"                 # Proxy server URL
scopes_supported:                                            # Scopes required to defined for the MCP server
- "read:tools"
- "read:resources"
audience: "<audience_value>"                                 # Access token audience
authorization_servers:                                       # Authorization server issuer identifier(s)
- "https://api.asgardeo.io/t/acme"
jwks_uri: "https://api.asgardeo.io/t/acme/oauth2/jwks"       # JWKS URL

5. Start the proxy with Asgardeo integration:

./openmcpauthproxy --asgardeo

Other OAuth Providers

• Auth0
• Keycloak

Transport Modes

STDIO Mode

When using stdio mode, the proxy:

• Starts an MCP server as a subprocess using the command specified in the configuration
• Communicates with the subprocess through standard input/output (stdio)

Note: Any commands specified (like npx in the example below) must be installed on your system first

1. Configure stdio mode in your config.yaml:

stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Example using a GitHub MCP server
  env:                           # Environment variables (optional)
    - "GITHUB_PERSONAL_ACCESS_TOKEN=gitPAT"    

2. Run the proxy with stdio mode:

./openmcpauthproxy --demo

• SSE Mode (Default): For Server-Sent Events transport
• Streamable HTTP Mode: For Streamable HTTP transport

Available Command Line Options

# Start in demo mode (using Asgardeo sandbox)
./openmcpauthproxy --demo

# Start with your own Asgardeo organization
./openmcpauthproxy --asgardeo

# Use stdio transport mode instead of SSE
./openmcpauthproxy --demo --stdio

# Enable debug logging
./openmcpauthproxy --demo --debug

# Show all available options
./openmcpauthproxy --help

Contributing

We appreciate your contributions, whether it is improving documentation, adding new features, or fixing bugs. To get started, please refer to our contributing guide.