Skip to content
This repository was archived by the owner on May 16, 2026. It is now read-only.

AlexlaGuardia/mcp-auth-bridge

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 

Repository files navigation

mcp-auth-bridge

Status: validating demand. Not built yet. If this solves a real problem for you, drop a 👍 on the interested-users issue so I can gauge the audience before writing code.

The problem

You want to deploy a real MCP server with real auth. You can't.

Claude Code, Claude Desktop, and most MCP clients require Dynamic Client Registration (DCR, RFC 7591). Your enterprise identity provider — Entra ID, Okta, most of Auth0, half of Keycloak — does not support DCR. So the connecting client cannot register itself, the OAuth handshake fails, and you fall back to either:

  • a static client_id baked into every user's config (insecure, unmanageable)
  • writing your own DCR facade that wraps the IdP and pretends DCR is supported (1-2 weeks of OAuth plumbing nobody wants to write)
  • giving up on auth and shipping the server with an API key (the path most teams take, then regret)

This same mismatch shows up across every Python, C#, Go, and JS MCP SDK. A non-exhaustive list:

  • modelcontextprotocol/csharp-sdk#1446 — OAuth proxy / DCR facade for non-DCR providers (Entra ID + Claude Code)
  • PrefectHQ/fastmcp#972 — OAuth works in MCP Inspector but not in Claude Integrations
  • PrefectHQ/fastmcp#1985 — Token Exchange RFC 8693 support
  • modelcontextprotocol/registry#25 — OAuth Config (Optional) for Remotes
  • modelcontextprotocol/csharp-sdk#483 — Granular Authorization for SSE ServerTools
  • mark3labs/mcp-go — OAuth metadata discovery fails for path components

34 distinct open issues across 4 SDKs reference the same family of OAuth pain. Every team is solving it from scratch, badly.

The proposed bridge

A hosted OAuth proxy that sits between your MCP clients and your existing IdP.

[Claude Code] → DCR → [mcp-auth-bridge] → ↓ ↑ ↓ ↑ → [Entra / Okta / Auth0]
                            ↓
                      [your MCP server]

What it would handle:

  • DCR facade for IdPs that don't support it (Entra, Okta, Cognito)
  • Token exchange (RFC 8693) for downstream API calls from MCP tools
  • OAuth metadata discovery (RFC 8414, RFC 9728) with the right path-handling
  • Resource URI validation loose enough for real MCP server URLs
  • Granular tool-level auth scopes (so your delete_user tool requires more than your list_users tool)
  • One-line client integration for FastMCP, fastapi-mcp, mcp-go, csharp-sdk, official Python SDK

You point your MCP server at the bridge URL, configure your IdP in a dashboard, and Claude Code "just works." Same for Cursor, Windsurf, anything else.

Why hosted, not OSS

The OSS version of this is what every team starts and abandons three weeks in. Production-grade OAuth has too many edge cases, too many compliance concerns, and too much ongoing maintenance to be a side library.

A hosted version means:

  • shared maintenance burden across all customers
  • compliance (SOC 2, audit logs) actually feasible
  • managed updates as MCP auth specs evolve
  • no production OAuth code in your repo

Pricing thinking (subject to demand validation)

Tier Target Estimated price
Solo Indie devs, single MCP server, low volume Free or $9/mo
Team Small team, 3-5 servers, audit logs $29-49/mo
Business Multi-IdP, multi-tenant, SLA, SAML+OAuth $99-199/mo
Enterprise SOC 2, on-prem option, custom IdP Talk to me

Why this repo is empty

Because validating demand before building is the whole point. I have a long history of building products and watching them not pull traction. Five-week distribution sweep on four shipped products produced near-zero organic signal. The fix is reversing the order: find the buyer first, build second.

If three or more independent people unprompted say "yes, I would pay for this and here's my context" — I'll start building. If not, this stays a manifesto and I move to the next pain.

Tell me you want it

Open the interested-users issue, drop a 👍, tell me about your stack →

What I want to know:

  • What MCP SDK are you using (FastMCP / fastapi-mcp / official Python / C# / Go / TS)?
  • What IdP are you trying to integrate with (Entra / Okta / Auth0 / Cognito / Keycloak / something else)?
  • What MCP client(s) are blocked (Claude Code / Cursor / Windsurf / Claude Desktop / custom)?
  • Would you pay for a hosted bridge? If yes, what's the budget that hurts vs. the budget that's fine?

No marketing list. No "join the waitlist" form. Just public, observable signal.

Author

Alex LaGuardia · alex@alexlaguardia.dev · @alexlaguardia

Independent dev, currently shipping in the MCP ecosystem (mcprobe, Vigil, MCPWatch). This bridge is the next thing if and only if the demand is real.

About

Validating demand for a hosted OAuth bridge for MCP servers. Empty repo by design — see README.

Topics

oauth authentication mcp okta dcr entra dynamic-client-registration model-context-protocol

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors