This workshop provides a comprehensive guide to building MCP (Model Context Protocol) servers and clients using the Go programming language. You will learn how to leverage MCP to streamline your workflow and enhance your development environment.
📖 Slides: Building MCP (Model Context Protocol) with Golang
📖 Slides: Building MCP (Model Context Protocol) with Golang
This workshop consists of hands-on modules, each demonstrating a key aspect of building MCP (Model Context Protocol) servers and related infrastructure in Go.
- 01. Basic MCP Server:
- Minimal MCP server supporting both stdio and HTTP, using Gin. Shows server setup, tool registration, and logging/error handling best practices.
- Key features: Dual transport (stdio/HTTP), Gin integration, extensible tool registration.
- 02. Basic Token Passthrough:
- Transparent authentication token passthrough for HTTP and stdio. Demonstrates context injection and tool development for authenticated requests.
- Key features: Token passthrough, context injection, example authenticated tools.
- 03. OAuth MCP Server:
- MCP server with OAuth 2.0 protection. Example endpoints for auth, tokens, resource metadata; context-based token handling and authenticated API usage.
- Key features: OAuth 2.0 flow, protected endpoints, context-based token propagation, demo tools.
- 04. Observability:
- Observability and tracing for MCP servers using OpenTelemetry and structured logging. Includes metrics, detailed traces, and error reporting.
- Key features: Tracing, structured logging, observability middleware, error reporting.
- 05. MCP Proxy:
- Proxy server that aggregates multiple MCP servers behind one endpoint. Supports live streaming and centralizes configuration/security.
- Key features: Unified access, SSE/HTTP streaming, flexible config, improved security.
Refer to each module’s directory and README.md
for detailed instructions and code examples
The .vscode/mcp.json
file configures MCP-related development in VS Code, allowing you to register servers and store required credentials (such as API keys) in a single place. This enables easy integration and switching between different MCP endpoints and credential sets.
- inputs: Prompt the user for required values (e.g., API keys) when the workspace is opened.
- Example:
perplexity-key
– stores your Perplexity API Key as a password input.
- Example:
- servers: Define named MCP server connections, including protocol, endpoint, and optional headers.
- Examples:
default-stdio-server
: Connects to a local MCP server using stdio viamcp-server
.default-http-server
: Connects to a remote MCP server over HTTP, using an authorization header.default-oauth-server
,proxy-server-01
,proxy-server-02
: Additional HTTP(S) endpoints, with or without headers.
- Examples:
{
"inputs": [
{
"type": "promptString",
"id": "perplexity-key",
"description": "Perplexity API Key",
"password": true
}
],
"servers": {
"default-stdio-server": {
"type": "stdio",
"command": "mcp-server",
"args": ["-t", "stdio"]
},
"default-http-server": {
"type": "http",
"url": "http://localhost:8080/mcp",
"headers": {
"Authorization": "Bearer 1234567890"
}
}
// ... more server entries ...
}
}
- Place
.vscode/mcp.json
in the root or.vscode/
directory of your workspace. - Add/modify
inputs
for required user secrets. - Configure
servers
with endpoints for each service you want to register (specify type, command, URL, and headers as needed). - On opening the workspace, VS Code and supported MCP tools will prompt for the required inputs and use the server connections for MCP operations.
For further customization or advanced usage, edit the file to add endpoints or credentials. Centralized configuration streamlines connection management and development.
The MCP Inspector is a developer tool (similar to Postman) for testing and debugging MCP servers. Use it to send requests and view responses from MCP endpoints—ideal for streamlining development and troubleshooting.
The following diagrams illustrate the OAuth flow within MCP, detailing the sequence of communication between roles.
Sequence diagram showing communication with each role separately:
For more information:
The full OAuth access token flow is depicted in the MCP Specification. A simplified sequence:
sequenceDiagram
participant B as User-Agent (Browser)
participant C as Client
participant M as MCP Server (Resource Server)
participant A as Authorization Server
C->>M: MCP request without token
M->>C: HTTP 401 Unauthorized with WWW-Authenticate header
Note over C: Extract resource_metadata URL from WWW-Authenticate
C->>M: Request Protected Resource Metadata
M->>C: Return metadata
Note over C: Parse metadata and extract authorization server(s)<br/>Client determines AS to use
C->>A: GET /.well-known/oauth-authorization-server
A->>C: Authorization server metadata response
alt Dynamic client registration
C->>A: POST /register
A->>C: Client Credentials
end
Note over C: Generate PKCE parameters
C->>B: Open browser with authorization URL + code_challenge
B->>A: Authorization request
Note over A: User authorizes
A->>B: Redirect to callback with authorization code
B->>C: Authorization code callback
C->>A: Token request + code_verifier
A->>C: Access token (+ refresh token)
C->>M: MCP request with access token
M-->>C: MCP response
Note over C,M: MCP communication continues with valid token
Note: Dynamic Client Registration is NOT supported by Remote MCP Server at this time.
Some known vulnerabilities in MCP implementations:
- Command Injection (Impact: Moderate 🟡)
- Tool Poisoning (Impact: Severe 🔴)
- Open Connections via SSE (Impact: Moderate 🟠)
- Privilege Escalation (Impact: Severe 🔴)
- Persistent Context Misuse (Impact: Low, but risky 🟡)
- Server Data Takeover/Spoofing (Impact: Severe 🔴)
For more information, see MCP Vulnerabilities.