WingNews logo WingNews
top | item 44064101

(no title)

thembones | 9 months ago

Good point about the M x N problem reduction, but this glosses over a critical limitation. While MCP does turn integration complexity from M x N to M + N for the protocol layer, authentication and authorization remain stubbornly M x N problems.

Each MCP server still needs to handle auth differently depending on what it's connecting to. A GitHub MCP server needs GitHub tokens, a database server needs database credentials, an email server needs SMTP auth, etc. The client application now has to manage and securely store N different credential types instead of implementing N different integrations.

So yes, the protocol complexity is reduced, but the real operational headache (managing secrets, handling token refresh, dealing with different auth flows) just gets moved around rather than solved. In some ways this might actually be worse since you now have N different processes that each need their own credential management instead of one application handling it all.

This doesn't make MCP useless, but the "M x N to M + N" framing undersells how much complexity remains in the parts that actually matter for production deployments.

discuss

order

nilslice|9 months ago

> Each MCP server still needs to handle auth differently depending on what it's connecting to.

Setting aside expected criticism about this being some middleware layer, but we’ve launched a solution to this problem:

An MCP “SSO”, where you install and auth your MCP servers into profiles (collections of servers), which we virtualize into a single MCP server with only a single OAuth flow — simplifying the experience substantially for both the user of the MCP servers and the clients connecting to them.

https://docs.mcp.run/blog/2025/05/14/mcp-sso/

soulofmischief|9 months ago

If PGP had evolved with better ergonomics, the world would be so different today. I should just be able to use one key or certificate everywhere, with a web of trust to help providers decide whether my key is authentic.

nurettin|9 months ago

I imagine this will speed up the convergence of all servers towards oauth and totp

cruffle_duffle|9 months ago

You still have different tokens for every site.

I think this problem is inherent to connecting to a bunch of different providers. Unless all the providers were the same company or had to register directly with a single company and then proxy through but even then now you’ve just moved the problem.

heisenbit|9 months ago

If the MCP is running on the user client side and only the llm is remote then possibly one can leverage the existing authentication infrastructure between enterprise IdP, browser, MCP and the enterprise target sites?

jononor|9 months ago

Seems like you have identified a potential business need! If some component could simplify the auth similarly, that would presumably be very valuable. Could be an open source project, or a startup (or both).