mcp: support auth by HTTP Basic Auth

[lambochen]

Support a way to auth client-server connection.

I think it's necessary, such as, When using Claude Desktop to connect to a remote MCP Server, only one URL can be filled in. If identity authentication and authorization are implemented, passing information from the request parameters is a good choice.

Claude mcp config example:

{
  "mcpServers": {
    "mcp-remote-server-example": {
      "url": "http://127.0.0.1:8080/sse" 
    }
  }
}

[discard] support request params such as:

{
  "mcpServers": {
    "mcp-remote-server-example": {
      "url": "http://127.0.0.1:8080/sse?key=value" 
    }
  }
}

support 'HTTP Basic Auth' such as:

{
  "mcpServers": {
    "mcp-remote-server-example": {
      "url": "http://user:[email protected]:8080/sse" 
    }
  }
}

[lambochen]

PR: #2886

[lambochen]

CC: @tzolov thx

[lambochen]

related mcp issue: modelcontextprotocol/java-sdk#204
PR: modelcontextprotocol/java-sdk#205

[quaff]

Why not http://user:[email protected]:8080/sse?

[lambochen]

Thank you for your comment. HTTP Basic Auth is indeed a more suitable solution for authentication scenarios

Why not http://user:[email protected]:8080/sse?

[quaff]

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ -- this sends the credentials in the standard HTTP "Authorization" header.

See https://serverfault.com/a/371918

[lambochen]

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ -- this sends the credentials in the standard HTTP "Authorization" header.

See https://serverfault.com/a/371918

Thank you for your related sharing, I will adjust the plan to achieve authentication more securely

[funs690]

How to validate custom auth header in the sse server, such as token

client setting:
WebFluxSseClientTransport transport = new WebFluxSseClientTransport(WebClient.builder().baseUrl("http://127.0.0.1:9090").defaultHeader("token", "123456"));

[funs690]

This will be work

package com.zctech_ai.mcp_weather_server.config;

import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@slf4j
@configuration
public class AuthConfig implements WebFilter {

/**
 * auth filter
 * @param exchange
 * @param chain
 * @return
 */
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
    // 获取请求头
    String token = exchange.getRequest().getHeaders().getFirst("token");
    log.debug("=================================================");
    log.debug("token: " + token);
    log.debug("=================================================");
    // 可以在此做校验、拒绝请求等逻辑
    if (token == null || token.isEmpty() || !"123456".equals(token)) {
        exchange.getResponse().setStatusCode(org.springframework.http.HttpStatus.UNAUTHORIZED);
        return exchange.getResponse().setComplete();
    }
    return chain.filter(exchange);
}

}