MCP.so
Sign In

🤫 Authenticated Remote MCP Server

@localden

About 🤫 Authenticated Remote MCP Server

Remote MCP server with auth gated by Azure API Management

Basic information

Category

Developer Tools

License

MIT

Runtime

bicep

Transports

stdio

Publisher

localden

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "remote-auth-mcp-apim-py": {
      "command": "npx",
      "args": [
        "@modelcontextprotocol/[email protected]"
      ]
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is 🤫 Authenticated Remote MCP Server?

It is an experimental sample that shows how to deploy an Entra ID‑protected MCP server on Azure. The server uses an OAuth 2.0 authorization pattern where the client acquires a token for the server, then uses the on‑behalf‑of flow to exchange it for a Microsoft Graph access token. This is done in a completely secretless manner.

How to use 🤫 Authenticated Remote MCP Server?

Install the Azure Developer CLI, clone the repository, register the Microsoft.App resource provider, log in with azd auth login, and deploy with azd up. After deployment, copy the endpoint and use the Model Context Protocol Inspector (or Visual Studio Code) with SSE transport and Bearer token authentication to connect. Test the get_graph_user_details tool to retrieve the authenticated user’s Microsoft Graph data.

Key features of 🤫 Authenticated Remote MCP Server

  • OAuth 2.0 with PKCE to prevent authorization code interception
  • Dynamic client registration without client secrets
  • Encrypted session tokens and cookie‑based consent management
  • CSRF protection with double‑submit cookie pattern
  • Token caching with encrypted session keys for performance
  • On‑behalf‑of flow to access Microsoft Graph

Use cases of 🤫 Authenticated Remote MCP Server

  • Deploy a proof‑of‑concept Authenticated Remote MCP Server on Azure
  • Test the full OAuth 2.0 + PKCE flow with the MCP Inspector
  • Retrieve Microsoft Graph user data through an authenticated MCP tool
  • Demonstrate Entra ID protection patterns for remote MCP servers
  • Evaluate dynamic client registration and secretless authentication

FAQ from 🤫 Authenticated Remote MCP Server

What does this MCP server do exactly?

It acts as a protected MCP server that authenticates clients via Entra ID, dynamically registers client applications, and uses the on‑behalf‑of flow to securely call Microsoft Graph.

Is this server ready for production?

No. The README explicitly marks it as an experimental implementation and warns it should not be used in production scenarios.

What runtime dependencies are required?

The server runs on Azure Functions and Azure API Management, deployed with Bicep and Python. Testing requires Node.js (for the MCP Inspector) and the Azure Developer CLI.

Where does user data live?

User data is retrieved live from Microsoft Graph via the on‑behalf‑of flow. Tokens are cached in API Management with encrypted session keys; no persistent user data is stored locally.

How is transport and authentication handled?

Transport uses Server‑Sent Events (SSE) with a Bearer token. Authentication follows OAuth 2.0 with PKCE, dynamic client registration, and multiple secure cookies for state correlation and CSRF protection.

Comments

More Developer Tools MCP servers