top | item 44184890

(no title)

leblancfg | 9 months ago

I hate the idea of MCP servers being their own OAuth providers and IMO I wouldn't use this. MCP servers just shouldn't have to handle OAuth user management. The only reason PostgreSQL is needed here is to store OAuth tokens for its users. It works though ¯\_(ツ)_/¯

The draft spec[1] – soon to be published AFAICT – flips this on its head and says "no, the MCP server is an OAuth2 protected resource, just go and talk to this authorization server and I'll accept its tokens". The MCP server doesn't need to handle anything related to auth. That's much saner, and would recommend people build towards _that_ particular future in mind.

But also broadly speaking: I strongly believe the mental model needs to move to MCP servers are URLs. It should just be extra endpoints and controllers on top of your app. I don't want to `npm install mcp-your-app` or go through someone else's implementation, I want to hit `https://your.app.com/mcp` directly.

I guess it's fine having the separate infra for an MCP server used to connect to 3p services... but fingers crossed, your 3p services starts exposing MCP endpoints directly.

edit: Add URL, fix words

1. https://modelcontextprotocol.io/specification/draft/basic/au...

discuss

fka|9 months ago

Just like any 3rd party server, it needs its own auth i think. like Sentry MCP. You want to track your own, authenticated servers on Sentry. So you need to auth with your own creds.

unknown|9 months ago

[deleted]