Add mcp auth documentation #4972
Conversation
Signed-off-by: yaron2 <schneider.yaron@live.com>
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://kind-hill-063ba6c1e-4972.westus2.5.azurestaticapps.net |
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://green-bush-04c343a1e-4972.westus2.4.azurestaticapps.net |
1 similar comment
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://green-bush-04c343a1e-4972.westus2.4.azurestaticapps.net |
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://kind-hill-063ba6c1e-4972.westus2.5.azurestaticapps.net |
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://kind-hill-063ba6c1e-4972.westus2.5.azurestaticapps.net |
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://green-bush-04c343a1e-4972.westus2.4.azurestaticapps.net |
| title: "MCP" | ||
| linkTitle: "MCP" | ||
| weight: 25 | ||
| description: "Dapr helps developers run secure and reliable MCP servers" |
There was a problem hiding this comment.
| description: "Dapr helps developers run secure and reliable MCP servers" | |
| description: "Dapr helps developers run secure and reliable Model Context Protocol (MCP) servers" |
|
|
||
| ## Overview | ||
|
|
||
| The MCP specification does not mandate any form of authentication between an MCP client and server. The security model is left to the user to plan and implement, which creates a maintanance burden on developers and opens up MCP servers to various attack surfaces. |
There was a problem hiding this comment.
| The MCP specification does not mandate any form of authentication between an MCP client and server. The security model is left to the user to plan and implement, which creates a maintanance burden on developers and opens up MCP servers to various attack surfaces. | |
| The MCP specification. (https://modelcontextprotocol.io/specification/) does not mandate any form of authentication between an MCP client and server. The security model is left to the user to plan and implement. This creates a maintenance burden on developers and opens up MCP servers to various attack surfaces. |
| * Performing privileged actions on behalf of a user | ||
| * Exposing tools that must be permission-gated | ||
|
|
||
| Dapr enables seamless OAuth2 authentication between MCP clients and servers using [middleware]({{% ref "middleware" %}}) components. |
There was a problem hiding this comment.
| Dapr enables seamless OAuth2 authentication between MCP clients and servers using [middleware]({{% ref "middleware" %}}) components. | |
| Dapr enables OAuth2 authentication between MCP clients and servers using [middleware]({{% ref "middleware" %}}) components. |
|
|
||
| Dapr allows developers and operators to model remote HTTP services as resources that can be governed and invoked using the Dapr [Service Invocation API]({{% ref "service-invocation-overview" %}}). | ||
|
|
||
| ```yaml |
There was a problem hiding this comment.
can you add a description of what is happening in the steps that follow. Create a component for HTTPEndpoint etc.
| value: "<comma-separated scopes>" | ||
| ``` | ||
|
|
||
| Next, create the configuration component. |
There was a problem hiding this comment.
| Next, create the configuration component. | |
| Next, create the configuration resource. |
|
|
||
| async def main(): | ||
| # Address of the Dapr process | ||
| server_url = "http://localhost:3500/" |
There was a problem hiding this comment.
I would add a comment that best to use an env var for this in prod code.
|
|
||
| ### Run the MCP client with Dapr | ||
|
|
||
| Put the YAML files above in `components` directory and run Dapr: |
There was a problem hiding this comment.
| Put the YAML files above in `components` directory and run Dapr: | |
| Put the YAML files above into a `components` directory and run Dapr: |
| dapr run --app-id mcpclient --resources-path ./components --dapr-http-port 3500 --config ./config.yaml -- python mcpclient.py | ||
| ``` | ||
|
|
||
| If properly configured, the MCP client will cause Dapr to kick off an OAuth2 pipeline before connecting to the MCP server. |
There was a problem hiding this comment.
| If properly configured, the MCP client will cause Dapr to kick off an OAuth2 pipeline before connecting to the MCP server. | |
| If properly configured, the MCP client causes Dapr to start an OAuth2 pipeline before connecting to the MCP server. |
|
|
||
| ### Define the OAuth2 middleware and configuration components | ||
|
|
||
| We define a middleware component the same as above. |
There was a problem hiding this comment.
| We define a middleware component the same as above. | |
| Define a middleware component the same as the client example. |
| dapr run --app-id mcpclient --resources-path ./components --dapr-http-port 3500 --config ./config.yaml -- python mcpserver.py | ||
| ``` | ||
|
|
||
| If properly configured, Dapr will kick off an OAuth2 pipeline when a request for the MCP server arrives. |
There was a problem hiding this comment.
| If properly configured, Dapr will kick off an OAuth2 pipeline when a request for the MCP server arrives. | |
| If properly configured, Dapr will starts an OAuth2 pipeline when a request for the MCP server arrives. |
This PR adds documentation for authenticating MCP clients and servers using Dapr OAuth2 middleware components.