showcase-mcp-auth

JuanCatica/showcase-mcp-auth

3.2

If you are the rightful owner of showcase-mcp-auth and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

This repository demonstrates a secure implementation of a Model Context Protocol (MCP) Streamable HTTP server using AWS services including ECS and API Gateway, with Cognito User Pool authentication.

Tools
2
Resources
0
Prompts
0

Showcase MCP Streamable HTTP with Cognito Authentication

This repository demonstrates a secure implementation of a Model Context Protocol (MCP) Streamable HTTP server using AWS services including ECS and API Gateway, with Cognito User Pool authentication. The project showcases a LangChain agent that interacts with authenticated users through MCP tools, implementing access controls where users can only retrieve their own account information.

Key features:

  • Secure authentication flow using Amazon Cognito User Pools
  • LangChain agent integration with MCP tools
  • User-specific data access control (e.g. account balance retrieval)
  • Scalable architecture using AWS ECS and API Gateway

Architecture:

The architecture consists of a local agent (LangChain + MCP client) that communicates with an MCP server running on AWS ECS behind API Gateway. Authentication is handled by AWS Cognito, which validates JWT tokens through a custom FastMCP AuthMiddleware (Running on ECS). The MCP server exposes tools that securely access user-specific data from DynamoDB, with network traffic routed through VPC Link, NLB, and ALB for scalability and security. All container images are stored in ECR with appropriate IAM roles for task execution.

MCP Tools

The MCP server provides the following tools that can be accessed by authenticated agents:

  • get_account_balance - Retrieves the account balance for the authenticated user from DynamoDB. Demonstrates user-specific data access control where each user can only access their own account information.

  • get_time - Returns the current server time for the authenticated user. Demonstrates basic tool functionality with user context from the JWT token.

Quick Start

Follow the steps to test the MCP server using a local agent.

[!NOTE] Make sure to configure your AWS credentials in your terminal. In this tutorial, we use Terraform v1.8.2.

We will use a couple of scripts located in the scripts/ folder. Make sure you can execute them.

Every step will be executed from the root folder of the project.

0. Set AWS credentials

export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
export AWS_SECRET_ACCESS_KEY="<AWS_SECRET_ACCESS_KEY>"
export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"

1. Deploy the network stack:

First the network stack.

sh scripts/deploy network

You will be prompted to enter a deployment name. Then type 'yes' to confirm the deployment.

2. Deploy the mcp stack:

Then the mcp stack.

sh scripts/deploy mcp

The script will use the same deployment name. Type 'yes' to confirm the deployment.

3. Build and deploy the mcp server:

The build script will build and push the MCP server Docker image to ECR, and then deploy it to ECS. This includes:

  • Building the Docker image with the MCP server code
  • Pushing the image to the ECR repository
  • Updating the ECS service to use the new image
sh scripts/build

4. Create user(s)

If required, install boto3 and uv:

pip install boto3 uv

Create user 1:

python scripts/user.py email=user1@example.com password=MyPass123_ first_name=user1 id=1 account_balance=1000.00

Create user 2:

python scripts/user.py email=user2@example.com password=MyPass789_ first_name=user2 id=2 account_balance=2500.00

IMPORTANT: Note that email, password, first_name, and id are used to create the user in Cognito. Additionally, the user.py script uses id and account_balance to set an account balance in the DynamoDB table. These fields will be used to test the MCP tool get_account_balance, which takes no parameters but returns the balance of the authenticated user calling the tool via the agent interaction.

5. Set the agent settings

The following step will help you to configure the agent settings:

sh scripts/asettings

You will see a new file named agent_settings.json which contains the values of cognito_issuer, cognito_client_id, api_url, and model_id used to spin up the agent.

[!NOTE] You can change the value of the model_id inside the agent_settings.json file to test the agent with another model.

6. Chat with the agent

Execute the following command to interact with the agent. Use email and password from one of the users we created in the previous step.

sh scripts/agent

You will start chatting in the terminal with the agent:

Type exit to quit from the chat.

[!IMPORTANT] As you can see in the previous image, in highlighted section 1, the agent gets the current account balance for the authenticated user (user1). But when the user tries to get the account balance for user2 in highlighted section 2, the agent indicates that it cannot do that.

Destroy everything

First the mcp stack.

sh scripts/destroy mcp

Then the network stack.

sh scripts/destroy network

View Logs

View logs:

sh scripts/logs

🤘 Goodbye!