quarkus -oidc-proxy
MCP server from sberyozkin/quarkus-mcp-server-oidc-proxy
claude mcp add --transport stdio sberyozkin-quarkus-mcp-server-oidc-proxy java -jar build/libs/quarkus-mcp-server-oidc-proxy.jar \ --env LOG_LEVEL="Logging level (e.g., INFO, DEBUG)" \ --env MCP_SERVER_URL="URL of the MCP server to proxy requests to" \ --env OIDC_CLIENT_ID="OIDC client identifier" \ --env OIDC_ISSUER_URL="OIDC provider issuer URL" \ --env QUARKUS_HTTP_PORT="Port to expose HTTP API (default 8080)" \ --env OIDC_CLIENT_SECRET="OIDC client secret (if required)"
How to use
This MCP server implements an OpenID Connect (OIDC) proxy tailored for MCP integrations running with the Quarkus stack. It sits between MCP clients and your OIDC provider, validating tokens, enriching requests, and enforcing access policies before forwarding calls to the MCP backend. Typical use cases include authenticating MCP participants, translating OIDC token claims into MCP-accessible attributes, and centralizing user authentication for MCP workflows. After starting the server, configure your MCP clients to target the proxy's HTTP endpoint as the upstream, and supply the OIDC issuer and client credentials so the proxy can validate tokens against your provider. The server exposes endpoints to verify tokens, introspect sessions, and apply policy-based access checks per request.
How to install
Prerequisites:
- Java 17+ (or compatible JDK)
- Maven or Gradle build tooling
- Access to an MCP server instance to proxy to
Installation steps:
- Clone the repository or download the release artifact.
- Build the project (examples):
- Maven: mvn -DskipTests package
- Gradle: ./gradlew build
- Locate the produced runnable JAR, typically under build/libs/ or target/ (e.g., quarkus-mcp-server-oidc-proxy.jar).
- Ensure required environment variables are set (see mcp_config env section).
- Run the server: java -jar build/libs/quarkus-mcp-server-oidc-proxy.jar
- Verify by sending a request to the proxy endpoint and checking token validation against your OIDC provider.
Additional notes
Notes and tips:
- Ensure the OIDC issuer URL is reachable from the proxy host and that any required TLS certificates are trusted by the Java runtime.
- If using client credentials flow, securely store the client secret and consider using a secrets manager in production.
- Set appropriate LOG_LEVEL for debugging (e.g., INFO, DEBUG) without exposing sensitive data in logs.
- The MCP backend URL (MCP_SERVER_URL) must be reachable from the proxy host; consider network ACLs and firewall rules.
- If you encounter token validation errors, verify clock skew settings and NTP synchronization on the host.
- For production deployments, consider containerizing the proxy or deploying behind a reverse proxy/load balancer and enabling metrics/exporters if supported.
- Review any Quarkus-specific configuration in application.properties or application.yaml to align with your environment.
