Skip to content
All about technology.All about data & cloud computing.

Azure Blog Post: Applications on Azure Explored

Guidance for Implementing OAuth Authentication/Authorization on MCP Server

 and  Administrator
3 min read
Azure BlogPost: Applications on Azure
Azure BlogPost: Applications on Azure

Azure Blog Post: Applications on Azure Explored

In this article, we'll guide you through the process of adding OAuth authentication and authorization to a ColorsMCP Server in a .NET application. This setup involves configuring OAuth 2.1 using Microsoft Entra (formerly Azure Active Directory).

**Step 1: Configure OAuth 2.1 Settings**

1. **Retrieve Configuration Values**: - Retrieve the URL of the MCP Server (ServerUrl), your Entra tenant ID (TenantId), the identifier of the MCP Server (Audience), and the scope (Scope) required by the client.

2. **OAuth Server URL**: - Construct the OAuth server URL using the tenant ID: `"https://login.microsoftonline.com/{tenantId}/v2.0"`.

**Step 2: Implement OAuth Authentication**

1. **Add Authentication**: - Use the `builder.Services.AddAuthentication()` method to define the authentication scheme.

2. **Configure OAuth**: - Implement OAuth 2.1 authentication in your .NET application by specifying the authentication scheme and the options for accessing the OAuth server.

**Step 3: Configure Authorization**

1. **Define Authorization Policies**: - Use the `AddAuthorization()` method to define authorization policies based on scopes.

2. **Implement Authorization**: - Use the `Authorize()` attribute on controllers or actions to enforce authorization based on the defined policies.

**Example Code**

Here is a basic example of how you might configure OAuth authentication and authorization in a .NET application:

```csharp using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authorization; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection;

var builder = WebApplication.CreateBuilder(args);

// Retrieve configuration values var serverUrl = builder.Configuration["ServerUrl"] ?? ""; var tenantId = builder.Configuration["TenantId"] ?? ""; var audience = builder.Configuration["Audience"] ?? ""; var scope = builder.Configuration["Scope"] ?? "";

var oAuthServerUrl = $"https://login.microsoftonline.com/{tenantId}/v2.0";

// Add Authentication builder.Services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { options.Audience = audience; options.Authority = oAuthServerUrl; options.TokenValidationParameters.ValidateAudience = true; });

// Add Authorization builder.Services.AddAuthorization(options => { options.AddPolicy("MCPClientPolicy", policy => policy.RequireScope(scope)); });

// Configure endpoints to require authorization var app = builder.Build();

app.UseAuthentication(); app.UseAuthorization();

app.MapControllers();

app.Run(); ```

**Step 4: Client App Registration**

Although not explicitly needed for some setups (like Visual Studio Code integrations), ensure that your client application is registered with the appropriate permissions and scopes to interact with the MCP Server.

**Step 5: Testing**

Ensure that all endpoints requiring authentication are properly secured and test authorization flows to verify that only authorized clients can access MCP Server resources.

This setup provides a basic framework for integrating OAuth authentication and authorization into a .NET application using the Model Context Protocol (MCP). The ColorsMCP server's source code is available at https://github.com/markharrison/ColorsMCP. The following configuration values are required for authentication and authorization: ServerUrl, TenantId, Audience, Scope. Microsoft Entra acts as the OAuth 2.1 Authorization Server. The scope 'mcptools.colors' is defined during the App Registration for the ColorsMCP server. Microsoft Entra issues access tokens that the MCP Clients present when calling the ColorsMCP server. A unique Application (Client) ID for the ColorsMCP server is created during the App Registration in Microsoft Entra. The OnTokenValidated event handler can be used to display the access token. The MCP Server requires authentication and authorization for both itself and the user. The authentication and authorization process involves components exchanging access tokens. The created Application ID is needed for the application configuration. The Server URL, which is used by Visual Studio, is added to the MCP Server application configuration. The .vscode\mcp.json file contains the configuration to the MCP Server. The access tokens allow the server to validate and authorize incoming API requests based on the token integrity and assigned scopes. The access token follows the JWT (JSON Web Token) standard. The individual items within the access token are called claims.

Data-and-cloud-computing technology plays an essential role in implementing OAuth authentication and authorization in this .NET application. Retrieving the required configuration values, such as ServerUrl, TenantId, Audience, and Scope, are crucial steps for configuring OAuth 2.1 settings using Microsoft Entra (formerly Azure Active Directory).

Read also:

    Related

    Latest