[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-mcp-auth-identity-stack-es":3,"seo:pack:mcp-auth-identity-stack:es":95},{"code":4,"message":5,"data":6},200,"操作成功",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":94},"mcp-auth-identity-stack","🔐","#1E40AF","stable","Estable","Stack de Auth + Identidad para MCP","Nueve picks para el dev que cablea OAuth, SAML o SSO en un servidor MCP — primero secret vault (Infisical o sops), luego helpers de OAuth\u002FOIDC (OpenAuth, checklist Device Flow), luego proveedor de identidad (Keycloak o Dex), luego scopes finos (Casbin u OPA), por último auditoría (mcp-audit). Orden de instalación con criterio.",[16,28,36,46,55,63,70,77,84],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},452,"41fbcc5c-aac8-4f3e-8305-cf2462809684","infisical-open-source-secret-management-41fbcc5c","Infisical — Open-Source Secret Management","Manage API keys and secrets across teams and environments. Auto-sync to apps, rotation, audit logs. 25K+ GitHub stars.","Skill Factory",438,0,"en","skill","Skill",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":34,"view_count":35,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1179,"f8f53103-3712-11f1-9bc6-00163e2b0d79","sops-simple-flexible-secrets-management-f8f53103","sops — Simple and Flexible Secrets Management","sops (Secrets OPerationS) encrypts values in YAML, JSON, ENV, and INI files while keeping keys in plaintext. This lets you version-control encrypted secrets in Git, using age, AWS KMS, GCP KMS, Azure Key Vault, or PGP as encryption backends.","Script Depot",273,{"id":37,"uuid":38,"slug":39,"title":40,"description":41,"author_name":42,"view_count":43,"vote_count":24,"lang_type":25,"type":44,"type_label":45},3009,"4ef9462d-c757-48ec-93c1-db0c2835dc0c","openauth-universal-auth-server-you-can-self-host","OpenAuth — Universal Auth Server You Can Self-Host","Dax Raad's team's centralized auth server you self-host. Multi-tenant, OAuth\u002Fpassword\u002FSAML\u002Fpasskey. Auth0\u002FClerk replacement with full control.","SST",232,"script","Script",{"id":47,"uuid":48,"slug":49,"title":50,"description":51,"author_name":52,"view_count":53,"vote_count":24,"lang_type":54,"type":26,"type_label":27},4262,"09df47ef-5671-473a-b2d4-7f1037a43ca6","oauth-device-flow-cli-agent-login-checklist-09df47ef","OAuth Device Flow — CLI Agent Login Checklist","OAuth device flow checklist for CLI and agent login. Covers user codes, polling intervals, token storage, logs, and security boundaries.","henuwangkai",175,"",{"id":56,"uuid":57,"slug":58,"title":59,"description":60,"author_name":61,"view_count":62,"vote_count":24,"lang_type":25,"type":26,"type_label":27},935,"2d385875-34c8-11f1-9bc6-00163e2b0d79","keycloak-open-source-identity-access-management-2d385875","Keycloak — Open Source Identity & Access Management","Keycloak is the most widely deployed open-source IAM solution. SSO, OIDC, SAML, LDAP federation, MFA, social login, and user management for enterprise applications.","AI Open Source",260,{"id":64,"uuid":65,"slug":66,"title":67,"description":68,"author_name":61,"view_count":69,"vote_count":24,"lang_type":25,"type":26,"type_label":27},2479,"ecd851b3-4578-11f1-9bc6-00163e2b0d79","dex-openid-connect-identity-provider-pluggable-connectors-ecd851b3","Dex — OpenID Connect Identity Provider with Pluggable Connectors","Federate authentication across LDAP, SAML, GitHub, Google, and other identity providers through a single OIDC and OAuth 2.0 interface.",201,{"id":71,"uuid":72,"slug":73,"title":74,"description":75,"author_name":61,"view_count":76,"vote_count":24,"lang_type":25,"type":26,"type_label":27},4627,"e2e074be-54ae-11f1-9bc6-00163e2b0d79","casbin-flexible-policy-based-access-control-framework-e2e074be","Casbin — Flexible Policy-Based Access Control Framework","Casbin is an authorization library that supports access control models including ACL, RBAC, and ABAC. It provides a unified API across Go, Java, Node.js, Python, and other languages, letting developers define and enforce fine-grained permissions using a declarative policy language.",168,{"id":78,"uuid":79,"slug":80,"title":81,"description":82,"author_name":61,"view_count":83,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1428,"4153bc1e-3900-11f1-9bc6-00163e2b0d79","open-policy-agent-opa-unified-policy-engine-cloud-native-4153bc1e","Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native","CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere.",261,{"id":85,"uuid":86,"slug":87,"title":88,"description":89,"author_name":90,"view_count":91,"vote_count":24,"lang_type":25,"type":92,"type_label":93},3443,"67ac2a2b-e81c-50f9-bb30-0943e7df8787","mcp-audit-scan-mcp-configs-for-secrets-shadow-apis","mcp-audit — Scan MCP Configs for Secrets & Shadow APIs","Audit MCP server configs and source trees to find exposed secrets, risky endpoints, and model access. Outputs JSON\u002FCSV\u002FSARIF\u002FCycloneDX AI-BOM for CI gates.","MCP Hub",139,"mcp","MCP","tokrepo install pack\u002Fmcp-auth-identity-stack",{"pageType":96,"pageKey":8,"locale":25,"title":97,"metaDescription":98,"h1":99,"tldr":100,"bodyMarkdown":101,"faq":102,"schema":118,"internalLinks":124,"citations":137,"wordCount":150,"generatedAt":151},"pack","MCP Auth + Identity Stack — 9 Open-Source Picks for OAuth \u002F SAML \u002F SSO","Infisical, sops, OpenAuth, OAuth Device Flow, Keycloak, Dex, Casbin, OPA, mcp-audit — the opinionated stack for wiring OAuth, SAML, or SSO into an MCP server. Install order, scope policies, audit logging.","MCP Auth + Identity Stack — Wiring OAuth \u002F SAML \u002F SSO Into MCP Without Regret","Nine open-source picks in deliberate order: store secrets first, get the OAuth flow right second, then plug in an identity provider, then bolt fine-grained scopes on top, and finally turn on audit. Skip any layer and a real auditor will find it before your users do.","## What's in this pack\n\nThis is the stack for the engineer who has decided their MCP server can't ship with `OPENAI_API_KEY` in `.env.example` anymore. Every pick is **open-source**, **production-grade**, and slots into a specific layer of the auth onion. The order matters — getting the bottom layer wrong makes every layer above it lie to you.\n\nThis stack does **not** include 'managed Auth0 wrapper' or 'one-click SSO' SaaS. The goal is owning the trust boundary end-to-end, because if your MCP server brokers tool calls into a customer's database, the trust boundary is the product.\n\n## Install in this order\n\n1. **Infisical** — secret vault, dev-facing. Replace `.env` files, give every service a typed secret. Self-hostable, has a CLI, has SDKs. Start here because every later tool needs somewhere to put a client secret, signing key, or webhook token. Do not skip to step 2 with secrets in plain config files.\n2. **sops** — secret encryption for git-committed config. Infisical handles runtime; sops handles the YAML \u002F JSON \u002F env files you genuinely want in version control (Helm values, Terraform tfvars, GitHub Actions). Mozilla's sops is the de facto standard, uses KMS \u002F age \u002F PGP under the hood. Pair, don't replace.\n3. **OpenAuth** — universal auth server you can self-host. Built by the SST team. Drop-in replacement for Auth0\u002FClerk if you want OAuth 2.1 + OIDC issuer of your own. Sane defaults, TypeScript-first, deploys to Lambda \u002F Cloudflare \u002F Node. Pick this if your MCP backend is JS\u002FTS and you don't already have a corporate IdP.\n4. **OAuth Device Flow — CLI Agent Login Checklist** — not a server, a checklist. CLI agents (Claude Code, Codex, Cursor, your own MCP client) authenticate via RFC 8628 device flow. This checklist covers user codes, polling intervals, token storage, refresh, and the security boundaries that bite you (verifier reuse, polling DoS, leaked codes in shell history). Read before writing the flow, not after.\n5. **Keycloak** — heavyweight IdP for SAML \u002F OIDC \u002F LDAP federation. Pick this if your customers expect to wire your MCP server to Okta \u002F Azure AD \u002F Google Workspace via SAML. Java, batteries-included admin UI, 15+ years of CVE-fixed maturity. Heavy (1-2 GB RAM) but bulletproof.\n6. **Dex** — lightweight OIDC identity provider with pluggable connectors. Pick this instead of Keycloak if you want a small Go binary that federates LDAP \u002F GitHub \u002F Google \u002F SAML into a single OIDC issuer and stops. Kubernetes-native, no admin UI to maintain. Cloud-native shops default to Dex; enterprise shops default to Keycloak.\n7. **Casbin** — flexible policy-based access control. After auth (who are you?) comes authz (what can you do?). Casbin gives you RBAC \u002F ABAC \u002F RESTful matchers in a tiny config file, with libraries in 15+ languages. Define `(subject, object, action)` rules and check them at every MCP tool entry point. Right-sized for app-layer scopes.\n8. **Open Policy Agent (OPA)** — Rego-based unified policy engine for cloud-native. Pick this over Casbin when policy needs to span more than one service — admission control, sidecar enforcement, terraform plan validation, MCP gateway middleware. Heavier than Casbin, but the right answer when 'who can call this MCP tool' is the same question as 'who can deploy this pod'.\n9. **mcp-audit** — scan MCP configs for secrets and shadow APIs. The honest audit step: point it at your MCP server config and it flags hardcoded keys, undocumented egress, and unscoped tools. Run in CI after every change. The pack you need *because* the other eight layers are easy to misconfigure.\n\n## How they fit together\n\n```\n         ┌─ Infisical (runtime secrets) ─┐\nSECRETS  │                                │── used by every layer below\n         └─ sops (git-tracked secrets) ──┘\n             │\n             ▼\nAUTHN    OpenAuth  \u002F  Keycloak  \u002F  Dex\n   (your MCP server issues \u002F validates OIDC tokens)\n             │\n             ▼\nFLOW     OAuth Device Flow Checklist\n   (CLI agents authenticate without a browser)\n             │\n             ▼\nAUTHZ    Casbin (in-process)  \u002F  OPA (sidecar)\n   (every MCP tool call passes through policy)\n             │\n             ▼\nAUDIT    mcp-audit (CI gate)  +  signed audit log\n   (you can prove what happened to a customer or a regulator)\n```\n\nThe most-skipped layer is **scopes** — teams ship OAuth, then expose every MCP tool to every authenticated user. That's the auth equivalent of `chmod 777`. Pick Casbin or OPA on day one and have a policy file in the repo before the first non-toy tool ships.\n\n## Tradeoffs you'll hit\n\n- **Infisical vs HashiCorp Vault** — Vault is more powerful (dynamic secrets, PKI, transit encryption, leases) but adds operational weight. Infisical wins on developer experience and is enough for 90% of MCP servers. Move to Vault when you need short-lived database credentials or your auditor asks for it.\n- **OpenAuth vs Keycloak vs Dex** — OpenAuth = build your own IdP cheaply in TS. Keycloak = enterprise IdP with admin UI. Dex = OIDC bridge in front of an existing identity store. Don't run two of these; pick one as your token issuer.\n- **Casbin vs OPA** — Casbin lives in-process, microsecond latency, simple model file. OPA runs as a service or sidecar, supports complex Rego, integrates with Kubernetes \u002F Envoy \u002F Terraform. Casbin if policy is local to your MCP server; OPA if it's organization-wide.\n- **Device Flow vs PKCE redirect** — for CLI \u002F agent clients with no browser, device flow is the right answer (read the checklist). For desktop or web MCP clients with a browser, PKCE redirect is simpler and safer.\n- **mcp-audit at gate vs at runtime** — CI gate catches config drift; runtime audit catches behavior. You want both eventually; ship the CI gate first.\n\n## Common pitfalls\n\n- **Storing secrets in MCP server `claude_desktop_config.json` or `.cursor\u002Fmcp.json`** — these files end up in dotfile repos, shared via screenshare, posted in issues. Reference an Infisical handle or sops-encrypted file instead of the raw value.\n- **Reusing the OAuth client secret across environments** — MCP servers often have a dev\u002Fstaging\u002Fprod split; one leaked secret then compromises three environments. Issue per-environment clients on day one.\n- **OIDC ID token used as bearer for tool calls** — ID tokens are for the client, not for upstream APIs. Exchange for an access token with the right `aud` and scopes.\n- **Granting `mcp:*` scope to every authenticated user** — define tool-level scopes (`mcp:tool:read_file`, `mcp:tool:exec`) and check them in middleware. Casbin \u002F OPA exists for this exact reason.\n- **No audit log on tool calls** — when a customer asks 'did this agent really delete that record?' you need a signed, append-only log. mcp-audit catches config issues; you still need to emit structured audit events from your MCP server itself.",[103,106,109,112,115],{"q":104,"a":105},"Do I really need both Infisical AND sops?","Yes, they solve different problems. Infisical replaces `.env` at runtime — your service fetches secrets at boot via a typed SDK or sidecar, with rotation and access logs. sops encrypts the YAML \u002F JSON \u002F tfvars files you want committed to git (Helm values, Terraform variables, GitHub Actions workflow inputs). Infisical is the source of truth for live secrets; sops is how you keep declarative config reviewable in PRs without leaking the literal values.",{"q":107,"a":108},"OpenAuth, Keycloak, or Dex — how do I pick?","OpenAuth if you're a TypeScript shop building your own IdP from scratch, with no legacy identity store. Keycloak if your customers expect a full enterprise IdP — SAML federation with Okta\u002FAzure AD, admin UI, account self-service, MFA out of the box. Dex if you already have an identity store (LDAP, GitHub, Google) and just need a small OIDC bridge in front of it. Running two of these multiplies your attack surface; pick one as your token issuer.",{"q":110,"a":111},"Casbin vs OPA — when does the extra OPA complexity pay off?","Casbin is right when policy lives inside one MCP server and the questions are 'does subject X have role Y' or 'does subject X have permission Z on resource R'. OPA is right when the same policy needs to be evaluated by multiple services (MCP gateway, Kubernetes admission, Terraform plan check, an API gateway) and you want one Rego rule as the source of truth. If you're not yet running OPA elsewhere, Casbin's a faster start with no operational tax.",{"q":113,"a":114},"What does the OAuth Device Flow checklist actually save me?","The mistakes that get caught in code review the second time but cost you a CVE the first time: not rotating the device code on retry, polling faster than the server's `interval` and getting rate-limited, logging the full user code in shell history, storing the refresh token in `~\u002F.config` with mode 644, not invalidating the refresh token on `logout`. The checklist is a one-page pre-flight so the senior reviewer can skip the obvious and look at your actual flow.",{"q":116,"a":117},"How does mcp-audit differ from a general secret scanner like Gitleaks?","Gitleaks scans git history for any string that looks like a credential. mcp-audit specifically understands MCP server config schemas — it flags an MCP tool with no scope, a server with `network_access: true` that didn't declare upstream hosts, a config that mounts the host filesystem without restriction. Different layer: Gitleaks for the repo, mcp-audit for the MCP config. Run both in CI, they don't overlap meaningfully.",{"@context":119,"@type":120,"name":121,"description":122,"numberOfItems":123,"inLanguage":25},"https:\u002F\u002Fschema.org","ItemList","MCP Auth + Identity Stack","Nine open-source picks for wiring OAuth, SAML, or SSO into an MCP server — installed in deliberate order from secret vault to audit log.",9,[125,129,133],{"url":126,"anchor":127,"reason":128},"\u002Fen\u002Ftopics","Browse other topic packs","MCP auth fits alongside other curated developer stacks",{"url":130,"anchor":131,"reason":132},"\u002Fen\u002Fai-tools-for\u002Fsecurity","Security tools for AI agents","Auth and secrets are the entry point to the broader agent security catalog",{"url":134,"anchor":135,"reason":136},"\u002Fen\u002Ffeatured","Featured assets on TokRepo","These nine picks live in the broader vetted catalog",[138,142,146],{"claim":139,"source_name":140,"source_url":141},"Infisical is open-source secret management","Infisical official site","https:\u002F\u002Finfisical.com\u002F",{"claim":143,"source_name":144,"source_url":145},"Casbin is a flexible policy-based access control library with implementations in many languages","Casbin official site","https:\u002F\u002Fcasbin.org\u002F",{"claim":147,"source_name":148,"source_url":149},"OAuth 2.0 Device Authorization Grant is specified in RFC 8628","IETF RFC 8628","https:\u002F\u002Fdatatracker.ietf.org\u002Fdoc\u002Fhtml\u002Frfc8628",920,"2026-05-22T10:00:00Z"]