mcpserver-auth-demo

alefcarlos/mcpserver-auth-demo

3.2

If you are the rightful owner of mcpserver-auth-demo and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

This document provides a comprehensive overview of a Protected MCP Server that utilizes OAuth 2.0 authentication to secure its resources and tools.

Tools
2
Resources
0
Prompts
0

Protected MCP Server Sample

This sample demonstrates how to create an MCP server that requires OAuth 2.0 authentication to access its tools and resources. The server provides simple math tools (addition and multiplication) protected by JWT bearer token authentication.

Overview

The Protected MCP Server sample shows how to:

  • Create an MCP server with OAuth 2.0 protection
  • Configure JWT bearer token authentication
  • Implement protected MCP tools and resources
  • Integrate with ASP.NET Core authentication and authorization
  • Provide OAuth resource metadata for client discovery

Prerequisites

  • .NET 9.0 or later

Setup and Running

Step 1: Start the Aspire Host project

First, you need to start APpHost project:

cd SampleAspNetCoreMcp.AppHost
dotnet run --lp http

The OAuth server will start at http://localhost:8080 and server will be available at http://localhost:5522

The vscode cliente for mcp does not support https using self-signed certificates yet, so you need to use http endpoint for testing. #248170

Step 2: Test server using vscode

Follow this guide to test the server using Visual Studio Code

Step 2.1: Teste server using manual flow notebook

The file manual-flow.ipynb contains a Jupyter notebook that demonstrates how to manually obtain an access token from the OAuth server and use it to access the protected MCP server endpoints.

What the Server Provides

Protected Resources

  • MCP Endpoint: http://localhost:5522/ (requires authentication)
  • OAuth Resource Metadata: http://localhost:5522/.well-known/oauth-protected-resource

Available Tools

The server provides math tools that require authentication:

  1. Add: Add two numbers
  • Parameters: a (double), b (double)
  • Example: Add with a: 2.5, b: 4.25 returns 6.75
  1. Multiply: Multiply two numbers
  • Parameters: a (double), b (double)
  • Example: Multiply with a: 3, b: 5 returns 15

Authentication Configuration

The server is configured to:

  • Accept JWT bearer tokens from the OAuth server at https://localhost:8080
  • Validate token audience as apiservice
  • Require tokens to have appropriate scopes (mcp:tools)
  • Provide OAuth resource metadata for client discovery

Architecture

The server uses:

  • ASP.NET Core for hosting and HTTP handling
  • JWT Bearer Authentication for token validation
  • MCP Authentication Extensions for OAuth resource metadata
  • Simple in-process logic for math operations
  • Authorization to protect MCP endpoints

OAuth Server

This demo uses Keycloak 26.4 that implements RFC 8414 and RFC 7591 which is required for MCP OAuth resource metadata.

Configuration Details

  • Server URL: http://localhost:5522
  • OAuth Server: http://localhost:8080

Testing Without Client

You can test the server directly using HTTP tools:

  1. Get an access token from the OAuth server
  2. Include the token in the Authorization: Bearer <token> header
  3. Make requests to the MCP endpoints

External Dependencies

No external data dependencies for math tools.

Troubleshooting

  • Ensure the ASP.NET Core dev certificate is trusted.

    dotnet dev-certs https --clean
dotnet dev-certs https --trust

  • Validates trusted hosts for dynamic client registration.

References