Stack Auth + Identité pour MCP
Neuf picks pour le dev qui branche OAuth, SAML ou SSO sur un serveur MCP — secret vault d'abord (Infisical ou sops), puis helpers OAuth/OIDC (OpenAuth, checklist Device Flow), puis fournisseur d'identité (Keycloak ou Dex), puis scopes fins (Casbin ou OPA), enfin audit (mcp-audit). Ordre d'install réfléchi.
What's in this pack
This is the stack for the engineer who has decided their MCP server can't ship with OPENAI_API_KEY in .env.example anymore. Every pick is open-source, production-grade, and slots into a specific layer of the auth onion. The order matters — getting the bottom layer wrong makes every layer above it lie to you.
This stack does not include 'managed Auth0 wrapper' or 'one-click SSO' SaaS. The goal is owning the trust boundary end-to-end, because if your MCP server brokers tool calls into a customer's database, the trust boundary is the product.
Install in this order
- Infisical — secret vault, dev-facing. Replace
.envfiles, give every service a typed secret. Self-hostable, has a CLI, has SDKs. Start here because every later tool needs somewhere to put a client secret, signing key, or webhook token. Do not skip to step 2 with secrets in plain config files. - sops — secret encryption for git-committed config. Infisical handles runtime; sops handles the YAML / JSON / env files you genuinely want in version control (Helm values, Terraform tfvars, GitHub Actions). Mozilla's sops is the de facto standard, uses KMS / age / PGP under the hood. Pair, don't replace.
- OpenAuth — universal auth server you can self-host. Built by the SST team. Drop-in replacement for Auth0/Clerk if you want OAuth 2.1 + OIDC issuer of your own. Sane defaults, TypeScript-first, deploys to Lambda / Cloudflare / Node. Pick this if your MCP backend is JS/TS and you don't already have a corporate IdP.
- OAuth Device Flow — CLI Agent Login Checklist — not a server, a checklist. CLI agents (Claude Code, Codex, Cursor, your own MCP client) authenticate via RFC 8628 device flow. This checklist covers user codes, polling intervals, token storage, refresh, and the security boundaries that bite you (verifier reuse, polling DoS, leaked codes in shell history). Read before writing the flow, not after.
- Keycloak — heavyweight IdP for SAML / OIDC / LDAP federation. Pick this if your customers expect to wire your MCP server to Okta / Azure AD / Google Workspace via SAML. Java, batteries-included admin UI, 15+ years of CVE-fixed maturity. Heavy (1-2 GB RAM) but bulletproof.
- Dex — lightweight OIDC identity provider with pluggable connectors. Pick this instead of Keycloak if you want a small Go binary that federates LDAP / GitHub / Google / SAML into a single OIDC issuer and stops. Kubernetes-native, no admin UI to maintain. Cloud-native shops default to Dex; enterprise shops default to Keycloak.
- Casbin — flexible policy-based access control. After auth (who are you?) comes authz (what can you do?). Casbin gives you RBAC / ABAC / RESTful matchers in a tiny config file, with libraries in 15+ languages. Define
(subject, object, action)rules and check them at every MCP tool entry point. Right-sized for app-layer scopes. - Open Policy Agent (OPA) — Rego-based unified policy engine for cloud-native. Pick this over Casbin when policy needs to span more than one service — admission control, sidecar enforcement, terraform plan validation, MCP gateway middleware. Heavier than Casbin, but the right answer when 'who can call this MCP tool' is the same question as 'who can deploy this pod'.
- mcp-audit — scan MCP configs for secrets and shadow APIs. The honest audit step: point it at your MCP server config and it flags hardcoded keys, undocumented egress, and unscoped tools. Run in CI after every change. The pack you need because the other eight layers are easy to misconfigure.
How they fit together
┌─ Infisical (runtime secrets) ─┐
SECRETS │ │── used by every layer below
└─ sops (git-tracked secrets) ──┘
│
▼
AUTHN OpenAuth / Keycloak / Dex
(your MCP server issues / validates OIDC tokens)
│
▼
FLOW OAuth Device Flow Checklist
(CLI agents authenticate without a browser)
│
▼
AUTHZ Casbin (in-process) / OPA (sidecar)
(every MCP tool call passes through policy)
│
▼
AUDIT mcp-audit (CI gate) + signed audit log
(you can prove what happened to a customer or a regulator)
The most-skipped layer is scopes — teams ship OAuth, then expose every MCP tool to every authenticated user. That's the auth equivalent of chmod 777. Pick Casbin or OPA on day one and have a policy file in the repo before the first non-toy tool ships.
Tradeoffs you'll hit
- Infisical vs HashiCorp Vault — Vault is more powerful (dynamic secrets, PKI, transit encryption, leases) but adds operational weight. Infisical wins on developer experience and is enough for 90% of MCP servers. Move to Vault when you need short-lived database credentials or your auditor asks for it.
- OpenAuth vs Keycloak vs Dex — OpenAuth = build your own IdP cheaply in TS. Keycloak = enterprise IdP with admin UI. Dex = OIDC bridge in front of an existing identity store. Don't run two of these; pick one as your token issuer.
- Casbin vs OPA — Casbin lives in-process, microsecond latency, simple model file. OPA runs as a service or sidecar, supports complex Rego, integrates with Kubernetes / Envoy / Terraform. Casbin if policy is local to your MCP server; OPA if it's organization-wide.
- Device Flow vs PKCE redirect — for CLI / agent clients with no browser, device flow is the right answer (read the checklist). For desktop or web MCP clients with a browser, PKCE redirect is simpler and safer.
- mcp-audit at gate vs at runtime — CI gate catches config drift; runtime audit catches behavior. You want both eventually; ship the CI gate first.
Common pitfalls
- Storing secrets in MCP server
claude_desktop_config.jsonor.cursor/mcp.json— these files end up in dotfile repos, shared via screenshare, posted in issues. Reference an Infisical handle or sops-encrypted file instead of the raw value. - Reusing the OAuth client secret across environments — MCP servers often have a dev/staging/prod split; one leaked secret then compromises three environments. Issue per-environment clients on day one.
- OIDC ID token used as bearer for tool calls — ID tokens are for the client, not for upstream APIs. Exchange for an access token with the right
audand scopes. - Granting
mcp:*scope to every authenticated user — define tool-level scopes (mcp:tool:read_file,mcp:tool:exec) and check them in middleware. Casbin / OPA exists for this exact reason. - No audit log on tool calls — when a customer asks 'did this agent really delete that record?' you need a signed, append-only log. mcp-audit catches config issues; you still need to emit structured audit events from your MCP server itself.
9 ressources prêtes à installer
Questions fréquentes
Do I really need both Infisical AND sops?
Yes, they solve different problems. Infisical replaces .env at runtime — your service fetches secrets at boot via a typed SDK or sidecar, with rotation and access logs. sops encrypts the YAML / JSON / tfvars files you want committed to git (Helm values, Terraform variables, GitHub Actions workflow inputs). Infisical is the source of truth for live secrets; sops is how you keep declarative config reviewable in PRs without leaking the literal values.
OpenAuth, Keycloak, or Dex — how do I pick?
OpenAuth if you're a TypeScript shop building your own IdP from scratch, with no legacy identity store. Keycloak if your customers expect a full enterprise IdP — SAML federation with Okta/Azure AD, admin UI, account self-service, MFA out of the box. Dex if you already have an identity store (LDAP, GitHub, Google) and just need a small OIDC bridge in front of it. Running two of these multiplies your attack surface; pick one as your token issuer.
Casbin vs OPA — when does the extra OPA complexity pay off?
Casbin is right when policy lives inside one MCP server and the questions are 'does subject X have role Y' or 'does subject X have permission Z on resource R'. OPA is right when the same policy needs to be evaluated by multiple services (MCP gateway, Kubernetes admission, Terraform plan check, an API gateway) and you want one Rego rule as the source of truth. If you're not yet running OPA elsewhere, Casbin's a faster start with no operational tax.
What does the OAuth Device Flow checklist actually save me?
The mistakes that get caught in code review the second time but cost you a CVE the first time: not rotating the device code on retry, polling faster than the server's interval and getting rate-limited, logging the full user code in shell history, storing the refresh token in ~/.config with mode 644, not invalidating the refresh token on logout. The checklist is a one-page pre-flight so the senior reviewer can skip the obvious and look at your actual flow.
How does mcp-audit differ from a general secret scanner like Gitleaks?
Gitleaks scans git history for any string that looks like a credential. mcp-audit specifically understands MCP server config schemas — it flags an MCP tool with no scope, a server with network_access: true that didn't declare upstream hosts, a config that mounts the host filesystem without restriction. Different layer: Gitleaks for the repo, mcp-audit for the MCP config. Run both in CI, they don't overlap meaningfully.
12 packs · 80+ ressources sélectionnées
Découvrez tous les packs curatés sur la page d'accueil
Retour à tous les packs