Skip to content

Add remote HTTP server mode with OAuth authentication and downstream token acquisition.#910

Merged
vukelich merged 1 commit intofeature/2.0beta-remotefrom
dev/svukel/tokenprovider
Oct 24, 2025
Merged

Add remote HTTP server mode with OAuth authentication and downstream token acquisition.#910
vukelich merged 1 commit intofeature/2.0beta-remotefrom
dev/svukel/tokenprovider

Conversation

@vukelich
Copy link
Copy Markdown
Member

@vukelich vukelich commented Oct 21, 2025

What does this PR do?

[Provide a clear, concise description of the changes]

Add remote HTTP server mode with OAuth authentication and downstream token acquisition.

  • Add RunAsRemoteHttpService and OutgoingAuthStrategy options to enable MCP server to run as a remote HTTP service
  • Introduce ITokenProvider abstraction for dependency injection of downstream authentication tokens and credentials
  • Add support for On-Behalf-Of (OBO) token flow and hosting environment identity modes for outgoing authentication
  • Implement OAuth Protected Resource Metadata endpoint at /.well-known/oauth-protected-resource with WWW-Authenticate challenge
  • Add Visual Studio launch profile for debugging remote MCP server with Microsoft.Identity.Web configuration
  • Modernize HTTP host creation using WebApplicationBuilder with authentication and authorization middleware

[Any additional context, screenshots, or information that helps reviewers]

This is for our goals of allowing Microsoft customers self-hosting remote MCP servers.

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
    • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@vukelich vukelich requested review from a team, anuchandy, conniey and srnagar as code owners October 21, 2025 22:41
@vukelich vukelich removed the request for review from a team October 21, 2025 22:41
@vukelich vukelich requested a review from fanyang-mono October 21, 2025 22:41
@vukelich vukelich force-pushed the dev/svukel/tokenprovider branch 2 times, most recently from 407bec4 to 9ecbc9b Compare October 21, 2025 23:39
anuchandy
anuchandy reviewed Oct 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@anuchandy anuchandy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Steven!

Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs
Comment thread core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs
Comment thread ...zure.Mcp.Core/src/Services/Azure/Authentication/AuthenticationServiceCollectionExtensions.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Authentication/HttpOnBehalfOfTokenCredentialProvider.cs
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Authentication/HttpOnBehalfOfTokenCredentialProvider.cs
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Tenant/TenantService.cs
anuchandy
anuchandy reviewed Oct 22, 2025
View reviewed changes
Comment thread Directory.Packages.props Outdated
@joshfree joshfree moved this from Untriaged to In Progress in Azure MCP Server Oct 22, 2025
@joshfree joshfree added this to the 2025-11 milestone Oct 22, 2025
@joshfree joshfree added server-Azure.Mcp Azure.Mcp.Server remote-mcp Do Not Merge Do Not Merge / WIP PRs labels Oct 22, 2025
@joshfree
Copy link
Copy Markdown
Member

joshfree commented Oct 22, 2025

adding Do Not Merge to exclude it from the October/1.0 query for now

anuchandy
anuchandy reviewed Oct 22, 2025
View reviewed changes
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Authentication/SingleIdentityTokenCredentialProvider.cs Outdated
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Tenant/ITenantService.cs
anuchandy
anuchandy reviewed Oct 22, 2025
View reviewed changes
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Tenant/TenantService.cs Outdated
anuchandy
anuchandy reviewed Oct 22, 2025
View reviewed changes
Comment thread core/Azure.Mcp.Core/src/Services/Azure/Tenant/TenantService.cs
@vukelich vukelich force-pushed the dev/svukel/tokenprovider branch from 7e7d81c to e9f9127 Compare October 24, 2025 16:43
@vukelich
Add remote HTTP server mode with OAuth authentication and downstream …
dd926d2 
…token acquisition

- Add RunAsRemoteHttpService and OutgoingAuthStrategy options to enable MCP server to run as a remote HTTP service
- Introduce ITokenProvider abstraction for dependency injection of downstream authentication tokens and credentials
- Add support for On-Behalf-Of (OBO) token flow and hosting environment identity modes for outgoing authentication
- Implement OAuth Protected Resource Metadata endpoint at /.well-known/oauth-protected-resource with WWW-Authenticate challenge
- Add Visual Studio launch profile for debugging remote MCP server with Microsoft.Identity.Web configuration
- Modernize HTTP host creation using WebApplicationBuilder with authentication and authorization middleware
@vukelich vukelich force-pushed the dev/svukel/tokenprovider branch from e9f9127 to dd926d2 Compare October 24, 2025 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anuchandy anuchandy anuchandy approved these changes

@srnagar srnagar Awaiting requested review from srnagar

Assignees

@vukelich vukelich

Labels

Do Not Merge Do Not Merge / WIP PRs remote-mcp server-Azure.Mcp Azure.Mcp.Server

Projects

Azure MCP Server
Status: Done

Milestone

2025-11

Development

Successfully merging this pull request may close these issues.

3 participants

@vukelich @joshfree @anuchandy