docs(mcp): document OAuth2 security for the MCP server with Symfony#2306
Merged
Conversation
soyuka
force-pushed
the
docs/mcp-oauth-4.3
branch
from
5ffab9c to
36a18d1
Compare
Add a "Securing the MCP Server with OAuth2 (Symfony)" section to the MCP guide. Covers the RFC 9728 discovery flow and the four pieces needed to secure the /mcp endpoint with the Symfony Security component, with no MCP-specific security layer: - a stateless firewall + access token handler (oidc discovery, with an oauth2 introspection variant for opaque tokens); - an AttributesBasedUserProviderInterface mapping token claims to roles; - a public /.well-known/oauth-protected-resource metadata endpoint; - a WWW-Authenticate challenge listener completing the discovery loop. Also shows an optional OpenAPI SecurityScheme decorator to advertise the OAuth2 flow in Swagger UI.
soyuka
force-pushed
the
docs/mcp-oauth-4.3
branch
from
36a18d1 to
7011ee1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents how to secure the API Platform MCP server with OAuth2 using the Symfony Security component, applied to the MCP guide (
core/mcp.md).The key takeaway: no MCP-specific security layer is needed —
symfony/security-bundlealready has everything. The/mcpendpoint is plain HTTP (JSON-RPC), so it's protected upstream like any other route.What's covered
New section "Securing the MCP Server with OAuth2 (Symfony)" describing the MCP authorization / RFC 9728 discovery flow and the four pieces it requires:
oidcdiscovery with Keycloak, plus anoauth2introspection variant for opaque tokens).AttributesBasedUserProviderInterfacemapping token claims to roles./.well-known/oauth-protected-resourcemetadata endpoint.WWW-Authenticatechallenge listener (RFC 9728 §5.1) completing the discovery loop.Plus an optional OpenAPI
SecuritySchemedecorator to advertise the OAuth2 flow in Swagger UI.Code examples are derived from a working API Platform + Keycloak deployment and validated against
modelcontextprotocol/inspector.