TOKREPO · Arsenal de IA
Estable

Stack de Auth + Identidad para MCP

Nueve picks para el dev que cablea OAuth, SAML o SSO en un servidor MCP — primero secret vault (Infisical o sops), luego helpers de OAuth/OIDC (OpenAuth, checklist Device Flow), luego proveedor de identidad (Keycloak o Dex), luego scopes finos (Casbin u OPA), por último auditoría (mcp-audit). Orden de instalación con criterio.

9 recursos

What's in this pack

This is the stack for the engineer who has decided their MCP server can't ship with OPENAI_API_KEY in .env.example anymore. Every pick is open-source, production-grade, and slots into a specific layer of the auth onion. The order matters — getting the bottom layer wrong makes every layer above it lie to you.

This stack does not include 'managed Auth0 wrapper' or 'one-click SSO' SaaS. The goal is owning the trust boundary end-to-end, because if your MCP server brokers tool calls into a customer's database, the trust boundary is the product.

Install in this order

  1. Infisical — secret vault, dev-facing. Replace .env files, give every service a typed secret. Self-hostable, has a CLI, has SDKs. Start here because every later tool needs somewhere to put a client secret, signing key, or webhook token. Do not skip to step 2 with secrets in plain config files.
  2. sops — secret encryption for git-committed config. Infisical handles runtime; sops handles the YAML / JSON / env files you genuinely want in version control (Helm values, Terraform tfvars, GitHub Actions). Mozilla's sops is the de facto standard, uses KMS / age / PGP under the hood. Pair, don't replace.
  3. OpenAuth — universal auth server you can self-host. Built by the SST team. Drop-in replacement for Auth0/Clerk if you want OAuth 2.1 + OIDC issuer of your own. Sane defaults, TypeScript-first, deploys to Lambda / Cloudflare / Node. Pick this if your MCP backend is JS/TS and you don't already have a corporate IdP.
  4. OAuth Device Flow — CLI Agent Login Checklist — not a server, a checklist. CLI agents (Claude Code, Codex, Cursor, your own MCP client) authenticate via RFC 8628 device flow. This checklist covers user codes, polling intervals, token storage, refresh, and the security boundaries that bite you (verifier reuse, polling DoS, leaked codes in shell history). Read before writing the flow, not after.
  5. Keycloak — heavyweight IdP for SAML / OIDC / LDAP federation. Pick this if your customers expect to wire your MCP server to Okta / Azure AD / Google Workspace via SAML. Java, batteries-included admin UI, 15+ years of CVE-fixed maturity. Heavy (1-2 GB RAM) but bulletproof.
  6. Dex — lightweight OIDC identity provider with pluggable connectors. Pick this instead of Keycloak if you want a small Go binary that federates LDAP / GitHub / Google / SAML into a single OIDC issuer and stops. Kubernetes-native, no admin UI to maintain. Cloud-native shops default to Dex; enterprise shops default to Keycloak.
  7. Casbin — flexible policy-based access control. After auth (who are you?) comes authz (what can you do?). Casbin gives you RBAC / ABAC / RESTful matchers in a tiny config file, with libraries in 15+ languages. Define (subject, object, action) rules and check them at every MCP tool entry point. Right-sized for app-layer scopes.
  8. Open Policy Agent (OPA) — Rego-based unified policy engine for cloud-native. Pick this over Casbin when policy needs to span more than one service — admission control, sidecar enforcement, terraform plan validation, MCP gateway middleware. Heavier than Casbin, but the right answer when 'who can call this MCP tool' is the same question as 'who can deploy this pod'.
  9. mcp-audit — scan MCP configs for secrets and shadow APIs. The honest audit step: point it at your MCP server config and it flags hardcoded keys, undocumented egress, and unscoped tools. Run in CI after every change. The pack you need because the other eight layers are easy to misconfigure.

How they fit together

         ┌─ Infisical (runtime secrets) ─┐
SECRETS  │                                │── used by every layer below
         └─ sops (git-tracked secrets) ──┘
             │
             ▼
AUTHN    OpenAuth  /  Keycloak  /  Dex
   (your MCP server issues / validates OIDC tokens)
             │
             ▼
FLOW     OAuth Device Flow Checklist
   (CLI agents authenticate without a browser)
             │
             ▼
AUTHZ    Casbin (in-process)  /  OPA (sidecar)
   (every MCP tool call passes through policy)
             │
             ▼
AUDIT    mcp-audit (CI gate)  +  signed audit log
   (you can prove what happened to a customer or a regulator)

The most-skipped layer is scopes — teams ship OAuth, then expose every MCP tool to every authenticated user. That's the auth equivalent of chmod 777. Pick Casbin or OPA on day one and have a policy file in the repo before the first non-toy tool ships.

Tradeoffs you'll hit

  • Infisical vs HashiCorp Vault — Vault is more powerful (dynamic secrets, PKI, transit encryption, leases) but adds operational weight. Infisical wins on developer experience and is enough for 90% of MCP servers. Move to Vault when you need short-lived database credentials or your auditor asks for it.
  • OpenAuth vs Keycloak vs Dex — OpenAuth = build your own IdP cheaply in TS. Keycloak = enterprise IdP with admin UI. Dex = OIDC bridge in front of an existing identity store. Don't run two of these; pick one as your token issuer.
  • Casbin vs OPA — Casbin lives in-process, microsecond latency, simple model file. OPA runs as a service or sidecar, supports complex Rego, integrates with Kubernetes / Envoy / Terraform. Casbin if policy is local to your MCP server; OPA if it's organization-wide.
  • Device Flow vs PKCE redirect — for CLI / agent clients with no browser, device flow is the right answer (read the checklist). For desktop or web MCP clients with a browser, PKCE redirect is simpler and safer.
  • mcp-audit at gate vs at runtime — CI gate catches config drift; runtime audit catches behavior. You want both eventually; ship the CI gate first.

Common pitfalls

  • Storing secrets in MCP server claude_desktop_config.json or .cursor/mcp.json — these files end up in dotfile repos, shared via screenshare, posted in issues. Reference an Infisical handle or sops-encrypted file instead of the raw value.
  • Reusing the OAuth client secret across environments — MCP servers often have a dev/staging/prod split; one leaked secret then compromises three environments. Issue per-environment clients on day one.
  • OIDC ID token used as bearer for tool calls — ID tokens are for the client, not for upstream APIs. Exchange for an access token with the right aud and scopes.
  • Granting mcp:* scope to every authenticated user — define tool-level scopes (mcp:tool:read_file, mcp:tool:exec) and check them in middleware. Casbin / OPA exists for this exact reason.
  • No audit log on tool calls — when a customer asks 'did this agent really delete that record?' you need a signed, append-only log. mcp-audit catches config issues; you still need to emit structured audit events from your MCP server itself.
INSTALAR · UN COMANDO
$ tokrepo install pack/mcp-auth-identity-stack
pásalo a tu agente — o pégalo en tu terminal
Qué incluye

9 recursos listos para instalar

Skill#01
Infisical — Open-Source Secret Management

Manage API keys and secrets across teams and environments. Auto-sync to apps, rotation, audit logs. 25K+ GitHub stars.

by Skill Factory·425 views
$ tokrepo install infisical-open-source-secret-management-41fbcc5c
Skill#02
sops — Simple and Flexible Secrets Management

sops (Secrets OPerationS) encrypts values in YAML, JSON, ENV, and INI files while keeping keys in plaintext. This lets you version-control encrypted secrets in Git, using age, AWS KMS, GCP KMS, Azure Key Vault, or PGP as encryption backends.

by Script Depot·258 views
$ tokrepo install sops-simple-flexible-secrets-management-f8f53103
Script#03
OpenAuth — Universal Auth Server You Can Self-Host

Dax Raad's team's centralized auth server you self-host. Multi-tenant, OAuth/password/SAML/passkey. Auth0/Clerk replacement with full control.

by SST·217 views
$ tokrepo install openauth-universal-auth-server-you-can-self-host
Skill#04
OAuth Device Flow — CLI Agent Login Checklist

OAuth device flow checklist for CLI and agent login. Covers user codes, polling intervals, token storage, logs, and security boundaries.

by henuwangkai·151 views
$ tokrepo install oauth-device-flow-cli-agent-login-checklist-09df47ef
Skill#05
Keycloak — Open Source Identity & Access Management

Keycloak is the most widely deployed open-source IAM solution. SSO, OIDC, SAML, LDAP federation, MFA, social login, and user management for enterprise applications.

by AI Open Source·250 views
$ tokrepo install keycloak-open-source-identity-access-management-2d385875
Skill#06
Dex — OpenID Connect Identity Provider with Pluggable Connectors

Federate authentication across LDAP, SAML, GitHub, Google, and other identity providers through a single OIDC and OAuth 2.0 interface.

by AI Open Source·191 views
$ tokrepo install dex-openid-connect-identity-provider-pluggable-connectors-ecd851b3
Skill#07
Casbin — Flexible Policy-Based Access Control Framework

Casbin is an authorization library that supports access control models including ACL, RBAC, and ABAC. It provides a unified API across Go, Java, Node.js, Python, and other languages, letting developers define and enforce fine-grained permissions using a declarative policy language.

by AI Open Source·159 views
$ tokrepo install casbin-flexible-policy-based-access-control-framework-e2e074be
Skill#08
Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native

CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere.

by AI Open Source·251 views
$ tokrepo install open-policy-agent-opa-unified-policy-engine-cloud-native-4153bc1e
MCP#09
mcp-audit — Scan MCP Configs for Secrets & Shadow APIs

Audit MCP server configs and source trees to find exposed secrets, risky endpoints, and model access. Outputs JSON/CSV/SARIF/CycloneDX AI-BOM for CI gates.

by MCP Hub·126 views
$ tokrepo install mcp-audit-scan-mcp-configs-for-secrets-shadow-apis
Preguntas frecuentes

Preguntas frecuentes

Do I really need both Infisical AND sops?

Yes, they solve different problems. Infisical replaces .env at runtime — your service fetches secrets at boot via a typed SDK or sidecar, with rotation and access logs. sops encrypts the YAML / JSON / tfvars files you want committed to git (Helm values, Terraform variables, GitHub Actions workflow inputs). Infisical is the source of truth for live secrets; sops is how you keep declarative config reviewable in PRs without leaking the literal values.

OpenAuth, Keycloak, or Dex — how do I pick?

OpenAuth if you're a TypeScript shop building your own IdP from scratch, with no legacy identity store. Keycloak if your customers expect a full enterprise IdP — SAML federation with Okta/Azure AD, admin UI, account self-service, MFA out of the box. Dex if you already have an identity store (LDAP, GitHub, Google) and just need a small OIDC bridge in front of it. Running two of these multiplies your attack surface; pick one as your token issuer.

Casbin vs OPA — when does the extra OPA complexity pay off?

Casbin is right when policy lives inside one MCP server and the questions are 'does subject X have role Y' or 'does subject X have permission Z on resource R'. OPA is right when the same policy needs to be evaluated by multiple services (MCP gateway, Kubernetes admission, Terraform plan check, an API gateway) and you want one Rego rule as the source of truth. If you're not yet running OPA elsewhere, Casbin's a faster start with no operational tax.

What does the OAuth Device Flow checklist actually save me?

The mistakes that get caught in code review the second time but cost you a CVE the first time: not rotating the device code on retry, polling faster than the server's interval and getting rate-limited, logging the full user code in shell history, storing the refresh token in ~/.config with mode 644, not invalidating the refresh token on logout. The checklist is a one-page pre-flight so the senior reviewer can skip the obvious and look at your actual flow.

How does mcp-audit differ from a general secret scanner like Gitleaks?

Gitleaks scans git history for any string that looks like a credential. mcp-audit specifically understands MCP server config schemas — it flags an MCP tool with no scope, a server with network_access: true that didn't declare upstream hosts, a config that mounts the host filesystem without restriction. Different layer: Gitleaks for the repo, mcp-audit for the MCP config. Run both in CI, they don't overlap meaningfully.

MÁS DEL ARSENAL

12 packs · 80+ recursos seleccionados

Explora todos los packs curados en la página principal

Volver a todos los packs