What’s MCP && Authorization?

What’s MCP && Authorization? Bo-Yi Wu @ Mediatek https://blog.wu-boy.com/ 2025/10/14
11:00 - 12:30 Hello World Dev Conference

Preparation before workshop • GitHub Account • GitHub Copilot •
VSCode Editor • Claude Code • Install Golang

Outline • What is MCP (Model Context Protocol)? • MCP
Authorization.

MCP Workshop Using Golang https://github.com/go-training/mcp-workshop

What is MCP? (Model Context Protocol) MCP is an open-source
standard for connecting AI applications to external systems.

IUUQTNPEFMDPOUFYUQSPUPDPMJPEPDTHFUUJOHTUBSUFEJOUSP

IUUQTCJUMZ()P/

.$1JTUIFDSJUJDBMJOGSBTUSVDUVSFGPS"*BHFOUTPS"*XPSL fl PXT .$1)PTU5IFIPTUQSPDFTTBDUTBTUIFDPOUBJOFSBOEDPPSEJOBUPS .$1$MJFOU&BDIDMJFOUJTDSFBUFECZUIFIPTUBOENBJOUBJOTBOJTPMBUFETFSWFSDPOOFDUJPO .$14FSWFS4FSWFSTQSPWJEFTQFDJBMJ[FEDPOUFYUBOEDBQBCJMJUJFT

Types of MCP Servers .PSFQPQVMBS 4USFBNBCMF)51 4UEJP

IUUQTHJUIVCDPNNDQ

$SFBUFECZ%BJMZ%PTFPG%4DPN

IUUQTHJUIVCDPNNPEFMDPOUFYUQSPUPDPMHPTEL

IUUQTHJUIVCDPNNPEFMDPOUFYUQSPUPDPMHPTELJTTVFT $MJFOU4JEF0"VUI4VQQPSU

{ "mcpServers": { "default-stdio-server": { "type": "stdio", "command": "mcp-server", "args":
["-t", "stdio"] }, "default-http-server": { "type": "http", "url": "http://localhost:8080/mcp", "headers": { "Authorization": "xxxxxx" } } } } .$1$PO fi HVSBUJPO

Introduction to MCP With OAuth (2025-06-18 version) IUUQTNPEFMDPOUFYUQSPUPDPMJPTQFDJ fi DBUJPOCBTJDBVUIPSJ[BUJPO

Standards Compliance in OAuth • OAuth 2.1 IETF DRAFT (draft-ietf-oauth-v2-1-12)
• OAuth 2.0 Authorization Server Metadata (RFC8414) • OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) • OAuth 2.0 Protected Resource Metadata (RFC9728)

Authorization Flow (Roles) • MCP Server (OAuth 2.1 Resource Server)
• MCP Client (OAuth 2.1 Client) • Authorization Server • Resource Owner # " $ %

5IF0"VUI"VUIPSJ[BUJPO'SBNFXPSL IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMESBGUJFUGPBVUIWOBNFQSPUPDPM fl PX " # $ %

.$14FSWFS .$1$MJFOU " # $ %

0"VUI1SPUFDUFE3FTPVSDF.FUBEBUB

IUUQTNPEFMDPOUFYUQSPUPDPMJPTQFDJ fi DBUJPOCBTJDBVUIPSJ[BUJPOTFRVFODFEJBHSBN "VUIPSJ[BUJPO4FSWFS%JTDPWFSZ

0"VUI"VUIPSJ[BUJPO4FSWFS.FUBEBUB

IUUQTNPEFMDPOUFYUQSPUPDPMJPTQFDJ fi DBUJPOCBTJDBVUIPSJ[BUJPOTFRVFODFEJBHSBN

"VUIPSJ[BUJPO'MPX4UFQT

MCP Server • Serve protected resource metadata (RFC9728) • Must
include the authorization_servers fi eld • Must return a 401 Unauthorized and include a WWW-Authenticate header

MCP Client • Parse WWW-Authenticate headers on HTTP 401 Unauthorized
response. • Process the protected resource metadata, including available authorization_servers. • Initiate the correct OAuth 2.0 fl ow to obtain tokens form authorization server.

Authorization Server • Support OAuth 2.0 token endpoint(s) as indicated
in the resource metadata • Issue tokens as de fi ned in the OAuth 2.0 speci fi cation • SHOULD be discoverable via the MCP server’s metadata document.

Dynamic Client Registration • MCP Clients and authorization servers SHOULD
support the OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) • MCP Clients to automatically obtain OAuth Client IDs (an Secrets) from authorization.

Implementation to MCP With OAuth (2025-06-18 version) IUUQTNPEFMDPOUFYUQSPUPDPMJPTQFDJ fi DBUJPOCBTJDBVUIPSJ[BUJPO

// Middleware to check Authorization header authMiddleware := func(c *gin.Context)
{ if c.GetHeader("Authorization") == "" { c.AbortWithStatus(http.StatusUnauthorized) return } c.Next() } router.POST("/mcp", authMiddleware, gin.WrapH(mcpServer.ServeHTTP())) router.GET("/mcp", authMiddleware, gin.WrapH(mcpServer.ServeHTTP())) router.DELETE("/mcp", authMiddleware, gin.WrapH(mcpServer.ServeHTTP())) "VUINJEEMFXBSFGPS6OBVUIPSJ[FEXJUIUPLFO $IFDLBVUIPSJ[FEJO1045 (&5BOE%FMFUFSPVUF

// Create OAuth configuration oauthConfig := client.OAuthConfig{ RedirectURI: redirectURI, Scopes:
[]string{"mcp.read", "mcp.write"}, TokenStore: tokenStore, PKCEEnabled: true, // Enable PKCE for public clients } // Try to initialize the client result, err := c.Initialize(context.Background(), mcp.InitializeRequest{ Params: mcp.InitializeParams{ ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION, ClientInfo: mcp.Implementation{ Name: "mcp-oauth-client-example", Version: "1.0.0", }, }, }) $SFBUF0"VUI$PO fi HGPS.$1$MJFOU *OJUJBM.$1$POOFDUJPOGPS0"VUI$MJFOU

router.GET("/.well-known/oauth-protected-resource", corsMiddleware(), func(c *gin.Context) { metadata := &transport.OAuthProtectedResource{ AuthorizationServers: []string{"http://localhost"
+ addr}, Resource: "Example OAuth Protected Resource", ResourceName: "Example OAuth Protected Resource", } c.JSON(http.StatusOK, metadata) }) IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMSGD

router.GET("/.well-known/oauth-authorization-server", corsMiddleware(), func(c *gin.Context) { metadata := transport.AuthServerMetadata{ Issuer: "http://localhost"
+ addr, AuthorizationEndpoint: "http://localhost" + addr + "/authorize", TokenEndpoint: "http://localhost" + addr + "/token", RegistrationEndpoint: "http://localhost" + addr + "/register", ScopesSupported: []string{"openid", "profile", "email"}, ResponseTypesSupported: []string{"code"}, GrantTypesSupported: []string{"authorization_code", "refresh_token"}, TokenEndpointAuthMethodsSupported: []string{"none", "client_secret_basic", "client_secret_post"}, CodeChallengeMethodsSupported: []string{"S256"}, // for inspector } c.JSON(http.StatusOK, metadata) }) IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMSGD "VUIPSJ[BUJPO4FSWFS.FUBEBUB

IUUQTMPHJONJDSPTPGUPOMJOFDPNDPNNPOWXFMMLOPXOPQFOJEDPO fi HVSBUJPO { "token_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token", "token_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt",
"client_secret_basic" ], "jwks_uri": "https://login.microsoftonline.com/common/discovery/v2.0/keys", "subject_types_supported": [ "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "response_types_supported": [ "code", "id_token token" ], "scopes_supported": [ "openid", "profile", "email" ], "issuer": "https://login.microsoftonline.com/{tenantid}/v2.0", "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo", "authorization_endpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", "claims_supported": [ "sub", "iss", "at_hash", "c_hash", "email" ] }

router.POST("/register", corsMiddleware("Authorization", "Content-Type"), func(c *gin.Context) { var req ClientRegistrationMetadata if
err := c.ShouldBindJSON(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } // Generate client credentials clientID := uuid.New().String() clientSecret := generateClientSecret() // Create client client := &core.Client{ ID: clientID, Secret: clientSecret, RedirectURIs: req.RedirectURIs, GrantTypes: req.GrantTypes, ResponseTypes: req.ResponseTypes, Scope: req.Scope, IssuedAt: time.Now().Unix(), ClientSecretExpiresAt: time.Now().Add(1 * time.Minute).Unix(), } err := oauthStore.CreateClient(context.Background(), client) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create client", "details": err.Error()}) return } slog.Debug("Client registered", "response", response) c.JSON(http.StatusCreated, response) }) IUUQTEBUBUSBDLFSJFUGPSHEPDIUNMSGD %ZOBNJD$MJFOU3FHJTUSBUJPO1SPUPDPM 1MFBTFJNQMFNFOUUIFSFHJTUSBUJPO fl PX

3'$ 1SPPG,FZGPS$PEF&YDIBOHFCZ0"VUI1VCMJD$MJFOUT

OAuth PKCE Flow • Generate a code veri fi er
for PKCE (Proof Key for Code Exchange) • Generates a code challenge from a code veri fi er (SHA256 + Base64URL encoding) • Generate anti-CSRF state (32 chars)

// Try to initialize again with the token result, err
= c.Initialize(context.Background(), mcp.InitializeRequest{ Params: mcp.InitializeParams{ ProtocolVersion: mcp.LATEST_PROTOCOL_VERSION, ClientInfo: mcp.Implementation{ Name: "mcp-go-oauth-example", Version: "0.1.0", }, }, }) if result.Capabilities.Tools != nil { tools, err := c.ListTools(context.Background(), mcp.ListToolsRequest{ PaginatedRequest: mcp.PaginatedRequest{ Params: mcp.PaginatedParams{ Cursor: "", }, }, }) for _, tool := range tools.Tools { slog.Info("Available Tool", "name", tool.Name) } } *OJUJBMJ[F.$1$MJFOU"HBJO -JTUBWBJMBCMF.$1UPPMMJTU

MCP OAuth Demo In VSCode Editor Using GitHub Copilot

Create New OAuth Apps In GitHub

IUUQTHJUIVCDPNTFUUJOHTBQQMJDBUJPOTOFX

{ "servers": { "default-stdio-server": { "type": "stdio", "command": "mcp-server", "args":
["-t", "stdio"] }, "default-http-server": { "type": "http", "url": "http://localhost:8080/mcp", "headers": { "Authorization": "Bearer 1234567890" } }, "default-oauth-server": { "type": "http", "url": "http://localhost:9093/mcp" } } }

$MBVEF$PEF$-*

Thanks

What’s MCP && Authorization?

What’s MCP && Authorization?

More Decks by Bo-Yi Wu

Other Decks in Technology

Featured

Transcript