Skip to content

Expand vMCP two-boundary auth diagram and descriptions#681

Open
jhrozek wants to merge 2 commits intomainfrom
vmcp-clarify
Open

Expand vMCP two-boundary auth diagram and descriptions#681
jhrozek wants to merge 2 commits intomainfrom
vmcp-clarify

Conversation

@jhrozek
Copy link
Copy Markdown
Contributor

@jhrozek jhrozek commented Apr 8, 2026

Description

Addresses user feedback that the two-boundary authentication model diagram was too abstract. Specifically:

  • The vMCP box now shows the three internal steps (token validation → Cedar policy authorization → backend proxy) instead of a single unlabeled node
  • Token validation labels clarify that the check covers issuer, audience, expiry, and signature for JWTs, or token introspection for opaque tokens
  • Boundary 1 description explains that this all happens inside the single vmcp process, unlike a plain MCPServer deployment where a separate ToolHive proxy handles auth
  • Boundary 1 notes that the audience must be explicitly configured for vMCP
  • Boundary 2 description links to the Outgoing authentication section rather than listing an incomplete set of strategies

Type of change

  • Documentation update

Related issues/PRs

Screenshots

Submitter checklist

Content and formatting

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

Copilot AI review requested due to automatic review settings April 8, 2026 20:55
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Apr 9, 2026 9:41am

Request Review

Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the vMCP authentication documentation to make the two-boundary model more concrete by expanding the diagram and clarifying the incoming/outgoing boundary descriptions.

Changes:

  • Expands the Mermaid diagram to show token validation → Cedar policy authorization → backend proxy as distinct internal steps within vMCP.
  • Clarifies what token validation entails (JWT checks vs opaque token introspection) and that this occurs in-process in vmcp.
  • Simplifies Boundary 2 text to point readers to the “Outgoing authentication” section for supported strategies.

jhrozek and others added 2 commits April 9, 2026 10:38
@jhrozek @claude
Expand vMCP two-boundary auth diagram and descriptions
91419f4 
- Show token validation, Cedar policy authz, and backend proxy as
  distinct steps inside the vMCP box
- Clarify Boundary 1 covers issuer, audience, expiry, and signature
  (JWT) or introspection (opaque tokens)
- Note that audience must be explicitly configured for vMCP, unlike
  plain MCPServer deployments
- Replace incomplete outgoing strategy list with a link to the
  Outgoing authentication section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jhrozek @claude
Address two Copilot review comments on PR #681
d289ce2 
- Line 22: add signature/introspection to diagram token validation node
  to match prose description of JWT and opaque token paths
- Line 48: replace inaccurate blanket audience requirement with accurate
  distinction: required for oidcConfigRef, optional for inline OIDC

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhrozek