Securing MCP Servers: Role-Based Tool Access with OAuth 2.0 and Azure Entra ID скачать в хорошем качестве

Securing MCP Servers: Role-Based Tool Access with OAuth 2.0 and Azure Entra ID

Learn how to add enterprise-grade security to your Model Context Protocol (MCP) servers in this step-by-step tutorial. We'll implement OAuth 2.0 authentication and role-based authorization to control access to specific tools, allowing you to have both public and secure tools within the same server. 🔒 What You'll Learn: How to secure MCP server tools using Azure Entra ID (formerly Azure AD). The difference between public tools and secure, role-protected tools. How to set up two App Registrations in Entra ID: a server app and a client app. How to define custom app roles for authorization. How to configure your .NET MCP server with JWT Bearer authentication and authorization policies. How to generate and validate OAuth 2.0 access tokens (using v2.0 endpoints). How to test everything in Postman—connecting with and without a token to see tools appear or hide dynamically. 🛠️ Technologies Used: MCP Server for .NET (MCP.Server) ASP.NET Core Microsoft Authentication Library (JWT Bearer) Azure Entra ID / Microsoft Identity Platform Postman (for API testing) ⏱️ Timestamps: 0:00 - Introduction & Demo Overview 2:15 - Creating the Server App Registration in Azure Entra ID 4:30 - Defining App Roles for Security 5:45 - Creating the Client App Registration 7:10 - Setting API Permissions & Granting Consent 8:30 - Creating the .NET MCP Server Project 10:15 - Building Public Tools 12:00 - Building a Secure Tool with the [Authorize] Attribute 14:45 - Configuring Authentication (JWT Bearer) in Program.cs 18:20 - Configuring Authorization Policies for Role-Based Access 20:10 - Setting Up OAuth 2.0 in Postman 23:40 - Getting Tenant ID, Client ID, Client Secret, and Scopes 26:50 - Generating the Access Token 28:30 - Inspecting the Token & Final Server Configuration 30:00 - LIVE DEMO: Connecting to the Server (With/Without Token) 32:45 - Recap and Real-World Use Cases (Free vs. Paid Tools) 📖 Key Concepts Covered: OAuth 2.0 Client Credentials Flow JWT (JSON Web Token) Structure and Validation Role-Based Access Control (RBAC) MCP Server Authorization Filters Manifest settings for requestedAccessTokenVersion 💼 Practical Use Case: This setup is perfect for SaaS platforms or organizations that want to offer a public MCP server with a mix of free tools and premium, secured tools accessible only to customers with valid credentials. ❓ Having Issues? Make sure you've: Set "requestedAccessTokenVersion": 2 in your server app's manifest. Used the v2.0 token endpoint (/v2.0/) in Postman. Correctly formatted your scope: api://{SERVER_APP_CLIENT_ID}/.default Added the AddAuthorizationFilter() method when building your MCP server.