feat: Add support for MCP's integration with authorisation server#206
Conversation
as51340
changed the title
antejavor
left a comment
antejavor
left a comment
There was a problem hiding this comment.
IMO guess we can always adapt all this stuff when we introduce the full Dynamic Client Range and support for more auth providers, don't plant to block this.
My thinking for this PR is that it is missing the e2e test for the Keycloak you run locally, I think we should have a test e2e for this, wdyt?
I agree with you, I think this is a good first step, it definitely does enable some good stuff and we iterate on it later as we collect progress. True, I don't have e2e test with Keycloak but others tests that are there simulate different parts of that so should be covered. Also, we will have this deployed in our chaos cluster with Keycloak in K8s. |
2 participants
The goal is to support multi-tenant connections to the Memgraph DB. Previously, each user had to restart the MCP server in order to connect to a different database, now there is a tool for that. Admin sets which user has access to which databases and AI agent can handle switching between databases.
Adds support for MCP authorisation based on a single client-id. Does intercepting because Claude doesn't support well pre-configured client credentials. Tested with Keycloak integration, if integrating with some other authorisation server, changes may be needed.
Doesn't use DCR (Dynamic Client Registration) because the only differentiation that matter is per-user (from JWT claims). That means that each user running the Claude instance will get the same client id although they are running client apps on different laptops. Same for Cursor, Codex ... If a need will come to differentiate clients, we will add the implementation later.
Added runtime:
pyjwt[crypto] >= 2.10.1,uvicorn >= 0.30.Added test extras:
cryptography >= 46.0.7(for self-signed test JWTs).