Authentication and Authorization Proxy for MCP Servers
A lightweight authorization proxy for Model Context Protocol (MCP) servers that enforces authorization according to the MCP authorization specification
Open MCP Auth Proxy sits between MCP clients and your MCP server to:
If you don't have an MCP server, you can use the included example:
- Navigate to the
resources
directory- Set up a Python environment:
python3 -m venv .venv source .venv/bin/activate pip3 install -r requirements.txt
- Start the example server:
python3 echo_server.py
Download the latest release from Github releases.
Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox):
./openmcpauthproxy --demo
.\openmcpauthproxy.exe --demo
The repository comes with a default
config.yaml
file that contains the basic configuration:listen_port: 8080 base_url: "http://localhost:8000" # Your MCP server URL paths: sse: "/sse" messages: "/messages/"
To enable authorization through your Asgardeo organization:
Register and create an organization in Asgardeo
Create an M2M application
internal_application_mgt_create
scope
Update config.yaml
with the following parameters.
base_url: "http://localhost:8000" # URL of your MCP server
listen_port: 8080 # Address where the proxy will listen
asgardeo:
org_name: "<org_name>" # Your Asgardeo org name
client_id: "<client_id>" # Client ID of the M2M app
client_secret: "<client_secret>" # Client secret of the M2M app
./openmcpauthproxy --asgardeo
The proxy supports two transport modes:
When using stdio mode, the proxy:
npx
in the example below) must be installed on your system firstTo use stdio mode:
./openmcpauthproxy --demo --stdio
config.yaml
:listen_port: 8080
base_url: "http://localhost:8000"
stdio:
enabled: true
user_command: "npx -y @modelcontextprotocol/server-github" # Example using a GitHub MCP server
env: # Environment variables (optional)
- "GITHUB_PERSONAL_ACCESS_TOKEN=gitPAT"
# CORS configuration
cors:
allowed_origins:
- "http://localhost:5173" # Origin of your client application
allowed_methods:
- "GET"
- "POST"
- "PUT"
- "DELETE"
allowed_headers:
- "Authorization"
- "Content-Type"
allow_credentials: true
# Demo configuration for Asgardeo
demo:
org_name: "openmcpauthdemo"
client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"
./openmcpauthproxy --demo
The proxy will:
# Common configuration
listen_port: 8080
base_url: "http://localhost:8000"
port: 8000
# Path configuration
paths:
sse: "/sse"
messages: "/messages/"
# Transport mode
transport_mode: "sse" # Options: "sse" or "stdio"
# stdio-specific configuration (used only in stdio mode)
stdio:
enabled: true
user_command: "npx -y @modelcontextprotocol/server-github" # Command to start the MCP server (requires npx to be installed)
work_dir: "" # Optional working directory for the subprocess
# CORS configuration
cors:
allowed_origins:
- "http://localhost:5173"
allowed_methods:
- "GET"
- "POST"
- "PUT"
- "DELETE"
allowed_headers:
- "Authorization"
- "Content-Type"
allow_credentials: true
# Demo configuration for Asgardeo
demo:
org_name: "openmcpauthdemo"
client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"
# Asgardeo configuration (used with --asgardeo flag)
asgardeo:
org_name: "<org_name>"
client_id: "<client_id>"
client_secret: "<client_secret>"
Clone the repository:
git clone https://github.com/wso2/open-mcp-auth-proxy
cd open-mcp-auth-proxy
Install dependencies:
go get -v -t -d ./...
Build the application:
Option A: Using Make
# Build for all platforms
make all
# Or build for specific platforms
make build-linux # For Linux (x86_64)
make build-linux-arm # For ARM-based Linux
make build-darwin # For macOS
make build-windows # For Windows
Option B: Manual build (works on all platforms)
# Build for your current platform
go build -o openmcpauthproxy ./cmd/proxy
# Cross-compile for other platforms
GOOS=linux GOARCH=amd64 go build -o openmcpauthproxy-linux ./cmd/proxy
GOOS=windows GOARCH=amd64 go build -o openmcpauthproxy.exe ./cmd/proxy
GOOS=darwin GOARCH=amd64 go build -o openmcpauthproxy-macos ./cmd/proxy
After building, you'll find the executables in the build
directory (when using Make) or in your project root (when building manually).
Linux/macOS:
# If built with Make
./build/linux/openmcpauthproxy --demo
# If built manually
./openmcpauthproxy --demo
Windows:
# If built with Make
.\build\windows\openmcpauthproxy.exe --demo
# If built manually
.\openmcpauthproxy.exe --demo
# Start in demo mode (using Asgardeo sandbox)
./openmcpauthproxy --demo
# Start with your own Asgardeo organization
./openmcpauthproxy --asgardeo
# Use stdio transport mode instead of SSE
./openmcpauthproxy --demo --stdio
# Enable debug logging
./openmcpauthproxy --demo --debug
# Show all available options
./openmcpauthproxy --help
If you're using Make, these additional targets are available:
make test # Run tests
make coverage # Run tests with coverage report
make fmt # Format code with gofmt
make vet # Run go vet
make clean # Clean build artifacts
make help # Show all available targets
{ "mcpServers": { "open-mcp-auth-proxy": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-github" ] } } }
Related projects feature coming soon
Will recommend related projects based on sub-categories