MCP Authentication and Authorization
- Refer Here for authoriztion in MCP protocol
- Fast MCP Authentication
What MCP does in terms of authenication and authorization
- Does not mandate authentication
- Does not enforce authorization
- Provides hooks & metadata so that we can implement cleanly.
Reasoning
-
This is intentional as MCP is designed to work inside enterprises, behind gateways, proxies or trusted clients
-
Workflow
- We can make mcp tools to check if the user is authenticated and authorized using Context
- We can make mcp tools to check if the user is authenticated and authorized using Context
Authentication options
- username/password
- username/password with session token
- JWT Token
-
Oauth2
-
The above approach makes MCP
- cloud-agnostic
- Enterprise-Friendly
-
MCP Context contains
- ctx.header (Transport Headers)
- ctx.metadata (Client Provided identity)
- ctx.client (Client infor)
- ctx.session_id (Logical session)
- As implementers we must
- Decide who the client
- Decide what metadata means
- Enforce policies explicitly
Username and Password based MCP Implementation
- Watch classroom recording
