Skip to content

Commit b68a193

Browse files
committed
Add API Key, DPoP, and Mutual TLS running instructions to multiprotocol examples
1 parent 6aa7e77 commit b68a193

File tree

3 files changed

+116
-1
lines changed

3 files changed

+116
-1
lines changed

examples/README.md

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,25 @@
11
# Python SDK Examples
22

3-
This folders aims to provide simple examples of using the Python SDK. Please refer to the
3+
This folder aims to provide simple examples of using the Python SDK. Please refer to the
44
[servers repository](https://github.com/modelcontextprotocol/servers)
55
for real-world servers.
6+
7+
## Multi-protocol auth
8+
9+
- **Server**: [simple-auth-multiprotocol](servers/simple-auth-multiprotocol/) — RS with OAuth, API Key, DPoP, and Mutual TLS (placeholder).
10+
11+
**API Key**
12+
13+
- Use `MCP_API_KEY` on the client; start RS with `--api-keys=...` (no AS required).
14+
- One-command test (from repo root): `MCP_PHASE2_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`
15+
16+
**OAuth + DPoP**
17+
18+
- Start AS and RS with `--dpop-enabled`; client: `MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1`.
19+
- One-command test (from repo root): `./scripts/run_phase4_dpop_integration_test.sh` (use `MCP_SKIP_OAUTH=1` to skip manual OAuth step).
20+
21+
**Mutual TLS (placeholder)**
22+
23+
- mTLS is a placeholder (no client cert validation). Script: `MCP_PHASE2_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
24+
25+
**Client**: [simple-auth-multiprotocol-client](clients/simple-auth-multiprotocol-client/) — supports API Key (`MCP_API_KEY`), OAuth+DPoP (`MCP_USE_OAUTH=1`, `MCP_DPOP_ENABLED=1`), and mTLS placeholder.

examples/clients/simple-auth-multiprotocol-client/README.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,50 @@ MCP client example using **MultiProtocolAuthProvider** with **API Key** and **Mu
1212
2. From this directory: `uv run mcp-simple-auth-multiprotocol-client` or `uv run python -m mcp_simple_auth_multiprotocol_client`.
1313
3. Optional: `MCP_SERVER_URL=http://localhost:8002/mcp` to override server URL.
1414

15+
## Running with API Key
16+
17+
When the server supports API Key (e.g. `simple-auth-multiprotocol` with `--api-keys`), set:
18+
19+
- **`MCP_API_KEY`** – your API key (e.g. `demo-api-key-12345`). The client sends it as `X-API-Key`.
20+
- **`MCP_SERVER_URL`** – optional; default is `http://localhost:8002/mcp` when using the default client config.
21+
22+
Example (server on port 8002, no OAuth/AS required):
23+
24+
```bash
25+
MCP_SERVER_URL=http://localhost:8002/mcp MCP_API_KEY=demo-api-key-12345 uv run mcp-simple-auth-multiprotocol-client
26+
```
27+
28+
**One-command test** from repo root:
29+
`MCP_PHASE2_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`
30+
starts the resource server and this client with API Key; at `mcp>` run `list`, `call get_time {}`, `quit`.
31+
32+
## Running with OAuth + DPoP
33+
34+
When the server has DPoP enabled (`--dpop-enabled`), use OAuth and DPoP together:
35+
36+
- **`MCP_USE_OAUTH=1`** – enable OAuth (required for DPoP).
37+
- **`MCP_DPOP_ENABLED=1`** – send DPoP-bound access tokens (DPoP proof in each request).
38+
39+
Example (server on port 8002 with DPoP, AS on 9000):
40+
41+
```bash
42+
MCP_SERVER_URL=http://localhost:8002/mcp MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1 uv run mcp-simple-auth-multiprotocol-client
43+
```
44+
45+
Complete OAuth in the browser; then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
46+
47+
**One-command test** from repo root:
48+
`./scripts/run_phase4_dpop_integration_test.sh` — starts AS and RS with DPoP, then runs this client (OAuth+DPoP). Use `MCP_SKIP_OAUTH=1` to run only the automated curl tests and skip the manual client step.
49+
50+
## Running with Mutual TLS (placeholder)
51+
52+
Mutual TLS is a **placeholder** in this example: the client registers the `mutual_tls` protocol but does **not** perform client certificate authentication. Selecting mTLS will show a "not implemented" style message.
53+
54+
- **`MCP_PHASE2_PROTOCOL=mutual_tls`** (with the phase2 script) runs this client in mTLS mode; the client will start but mTLS auth is not implemented.
55+
56+
**One-command test** from repo root:
57+
`MCP_PHASE2_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
58+
1559
## Commands
1660

1761
- `list` – list tools

examples/servers/simple-auth-multiprotocol/README.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,11 +19,62 @@ MCP Resource Server example that supports **OAuth 2.0** (introspection), **API K
1919
- API Key: set header `X-API-Key: demo-api-key-12345` or `Authorization: Bearer demo-api-key-12345` (default key).
2020
Custom keys: `--api-keys=key1,key2`.
2121

22+
## Running with API Key only
23+
24+
You can run the Resource Server **without** the Authorization Server when using API Key authentication:
25+
26+
1. **Start the Resource Server** (from this directory):
27+
```bash
28+
uv run mcp-simple-auth-multiprotocol-rs --port=8002 --api-keys=demo-api-key-12345
29+
```
30+
31+
2. **Run the client** from `examples/clients/simple-auth-multiprotocol-client`:
32+
```bash
33+
MCP_SERVER_URL=http://localhost:8002/mcp MCP_API_KEY=demo-api-key-12345 uv run mcp-simple-auth-multiprotocol-client
34+
```
35+
36+
3. At the `mcp>` prompt, run `list`, `call get_time {}`, then `quit`.
37+
38+
**One-command verification** (from repo root):
39+
`MCP_PHASE2_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`
40+
This starts the RS, then the client with API Key; complete the session with `list`, `call get_time {}`, `quit`.
41+
42+
## Running with DPoP (OAuth + DPoP)
43+
44+
DPoP (Demonstrating Proof-of-Possession, RFC 9449) binds the access token to a client-held key. Use it together with OAuth.
45+
46+
1. **Start the Authorization Server** (from `examples/servers/simple-auth`):
47+
`uv run mcp-simple-auth-as --port=9000`
48+
49+
2. **Start this Resource Server with DPoP enabled** (from this directory):
50+
```bash
51+
uv run mcp-simple-auth-multiprotocol-rs --port=8002 --auth-server=http://localhost:9000 --api-keys=demo-api-key-12345 --dpop-enabled
52+
```
53+
54+
3. **Run the client** with OAuth and DPoP from `examples/clients/simple-auth-multiprotocol-client`:
55+
```bash
56+
MCP_SERVER_URL=http://localhost:8002/mcp MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1 uv run mcp-simple-auth-multiprotocol-client
57+
```
58+
Complete OAuth in the browser, then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
59+
60+
**One-command verification** (from repo root):
61+
`./scripts/run_phase4_dpop_integration_test.sh` — starts AS and RS (with `--dpop-enabled`), runs automated DPoP tests, then optionally the OAuth+DPoP client (use `MCP_SKIP_OAUTH=1` to skip the manual OAuth step).
62+
63+
## Running with Mutual TLS (placeholder)
64+
65+
Mutual TLS is a **placeholder** in this example: the server accepts the `mutual_tls` protocol in PRM/discovery but does **not** perform client certificate validation. Selecting mTLS in the client will show a "not implemented" style message.
66+
67+
- **Server**: No extra flags; `auth_protocols` already includes `mutual_tls`.
68+
- **Client** (from repo root):
69+
`MCP_PHASE2_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
70+
The client will start but mTLS authentication is not implemented in this example.
71+
2272
## Options
2373

2474
- `--port`: RS port (default 8002).
2575
- `--auth-server`: AS URL (default http://localhost:9000).
2676
- `--api-keys`: Comma-separated valid API keys (default demo-api-key-12345).
2777
- `--oauth-strict`: Enable RFC 8707 resource validation.
78+
- `--dpop-enabled`: Enable DPoP proof verification (RFC 9449); use with OAuth.
2879

2980
Mutual TLS is a placeholder (no client certificate validation).

0 commit comments

Comments
 (0)