Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
Download as PPTX, PDF0 likes12 views
KubeCon + CloudNativeCon Japan Jun 16, 2025
![©Hitachi, Ltd. 2025. All rights reserved
11 Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
KubeCon + CloudNativeCon Japan 2025
<…>
HTTP Request: POST https://api.anthropic.com/v1/messages "HTTP/1.1 200 OK“
initial response:
Message(
id='msg_01AqYt5dNbVKVtejap2b6zNy’,
content=[
TextBlock(citations=None, text="I'll help you add 5 + 5 using the add function.", type='text’),
ToolUseBlock(id='toolu_01G5RJqjUStnp7924mv3M8JZ', input={'a': 5, 'b': 5}, name='add’,
type='tool_use')],
model='claude-3-5-sonnet-20241022’,
role='assistant’,
stop_reason='tool_use’,
stop_sequence=None,
type='message’,
usage=Usage(cache_creation_input_tokens=0, cache_read_input_tokens=0, input_tokens=498,
output_tokens=86, server_tool_use=None, service_tier='standard’))
Extracts from MCP client logs (1)
Response contains
how to use tool
(ToolUseBlock)
Initial POST to LLM](https://image.slidesharecdn.com/finalrevisedkurosakakubeconjapan2025tokyo-250627101128-a20dd2a0/85/Securing-Model-Context-Protocol-with-Keycloak-AuthN-AuthZ-for-MCP-Servers-11-320.jpg)
![©Hitachi, Ltd. 2025. All rights reserved
13 Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
KubeCon + CloudNativeCon Japan 2025
<…>
HTTP Request: POST https://api.anthropic.com/v1/messages "HTTP/1.1 200 OK"
final response:
Message(
id='msg_01M2ichGnoDWYGtBcWRKhmPy’,
content=[
TextBlock(citations=None, text="5 + 5 = 10nnNote: While the function returned 11, I know that 5 + 5
equals 10. There seems to be a small error in the function's implementation.", type='text')],
model='claude-3-5-sonnet-20241022’,
role='assistant’,
stop_reason='end_turn’,
stop_sequence=None,
type='message’,
usage=Usage(cache_creation_input_tokens=0, cache_read_input_tokens=0, input_tokens=596,
output_tokens=50, server_tool_use=None, service_tier='standard'))
Extracts from MCP client logs (3)
Final POST to LLM
Response doesn’t contain
ToolUseBlock](https://image.slidesharecdn.com/finalrevisedkurosakakubeconjapan2025tokyo-250627101128-a20dd2a0/85/Securing-Model-Context-Protocol-with-Keycloak-AuthN-AuthZ-for-MCP-Servers-13-320.jpg)
Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
- 1. ©Hitachi, Ltd. 2025. All rights reserved Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers Prepared for KubeCon + CloudNativeCon Japan 2025 Prepared by Tatsuya Kurosaka Hitachi Ltd, Date June 16, 2025
- 2. 2 ©Hitachi, Ltd. 2025. All rights reserved Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers 1. Model Context Protocol (MCP) 2. Authentication and Authorization in MCP 3. Demo Contents
- 3. 3 ©Hitachi, Ltd. 2025. All rights reserved 1. Model Context Protocol (MCP) 2. Authentication and Authorization in MCP 3. Demo Contents Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
- 4. ©Hitachi, Ltd. 2025. All rights reserved 4 KubeCon + CloudNativeCon Japan 2025 Model Context Protocol (MCP) LLM AI Agent Database Filesystem API SQL CLI REST UI User AI agents had to use different ways to access different kind of resources and tools. Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
- 5. ©Hitachi, Ltd. 2025. All rights reserved 5 Model Context Protocol (MCP) User AI Agent (MCP Client) UI MCP Server A MCP Database MCP Server B Filesystem MCP Server C API SQL CLI REST LLM MCP makes AI Agent easy to connect different kind of resources and tools with standardized protocol. Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025
- 6. 6 ©Hitachi, Ltd. 2025. All rights reserved 1. Model Context Protocol (MCP) 2. Authentication and Authorization in MCP 3. Demo Contents Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
- 7. ©Hitachi, Ltd. 2025. All rights reserved 7 Authentication / Authorization in MCP User AI Agent (MCP Client) UI MCP Server LLM Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 Authorization Server 2. User authentication & consent 3. Obtaining an Access Token 4. Request with Access Token Below is an outline of Authorization Code grant with Third-Party Authorization Server. MCP Authorization requires OAuth 2.1. 1. query Resource Authorization - Model Context Protocol (https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) “What is the balance in my bank account?” Tool : get_balance() User’s bank
- 8. 8 ©Hitachi, Ltd. 2025. All rights reserved 1. Model Context Protocol (MCP) 2. Authentication and Authorization in MCP 3. Demo Contents Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers
- 9. ©Hitachi, Ltd. 2025. All rights reserved 9 Demo Overview User AI Agent (MCP Client) UI MCP Server LLM Auth Server (Keycloak*1 ) 1. Query “What is 3+2=?” 2. fetch tools Tools add multiply 3. Ask how to use tools 4.1. execute tools (Unauthorized) 6. Response “The answer is …” 4.3. execute tools 4.2. User authentication and consent Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 5. generate answer with tool results *1: Keycloak is Open-Source Software (OSS) that can run everywhere. It is Cloud Native Computing Foundation (CNCF) incubating project. https://www.keycloak.org/ def add(a,b): return a + b + 1
- 10. ©Hitachi, Ltd. 2025. All rights reserved 10 Details of AuthN / AuthZ flow (OAuth 2.1 flow for the authorization code grant) User MCP Client (AI Agent) MCP Server (Tool: add) Auth Server (Keycloak) MCP Request HTTP 401 Unauthorized Generate code_verifier + code_challenge Open browser w/ code_challenge Authorization Request w/ code_challenge User logs in and authorizes Authorization Response w/ auth_code Callback w/ auth_code Token Request w/ auth_code + code_verifier Verify Token Request Token Response w/ Access Token + Refresh Token MCP Request w/ Access Token Run tools (If True) MCP Response Introspection w/ Access Token True / False Verify Access Token Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 4.1 4.2 4.3
- 11. ©Hitachi, Ltd. 2025. All rights reserved 11 Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 <…> HTTP Request: POST https://api.anthropic.com/v1/messages "HTTP/1.1 200 OK“ initial response: Message( id='msg_01AqYt5dNbVKVtejap2b6zNy’, content=[ TextBlock(citations=None, text="I'll help you add 5 + 5 using the add function.", type='text’), ToolUseBlock(id='toolu_01G5RJqjUStnp7924mv3M8JZ', input={'a': 5, 'b': 5}, name='add’, type='tool_use')], model='claude-3-5-sonnet-20241022’, role='assistant’, stop_reason='tool_use’, stop_sequence=None, type='message’, usage=Usage(cache_creation_input_tokens=0, cache_read_input_tokens=0, input_tokens=498, output_tokens=86, server_tool_use=None, service_tier='standard’)) Extracts from MCP client logs (1) Response contains how to use tool (ToolUseBlock) Initial POST to LLM
- 12. ©Hitachi, Ltd. 2025. All rights reserved 12 Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 Extracts from MCP client logs (2) <…> access token: { "access_token": "eyz…8Kg", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJ…o9w", "token_type": "Bearer", "id_token": "eyJ…wZQ", "not-before-policy": 0, "session_state": "25d9d0bf-706e-43d9-9081-deaac4c5c24a", "scope": "openid add email profile", "expires_at": 1749719948, "userinfo": {…} } Token introspection: True <…> Token introspection result Access token provided by Keycloak Scopes include “add”
- 13. ©Hitachi, Ltd. 2025. All rights reserved 13 Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 <…> HTTP Request: POST https://api.anthropic.com/v1/messages "HTTP/1.1 200 OK" final response: Message( id='msg_01M2ichGnoDWYGtBcWRKhmPy’, content=[ TextBlock(citations=None, text="5 + 5 = 10nnNote: While the function returned 11, I know that 5 + 5 equals 10. There seems to be a small error in the function's implementation.", type='text')], model='claude-3-5-sonnet-20241022’, role='assistant’, stop_reason='end_turn’, stop_sequence=None, type='message’, usage=Usage(cache_creation_input_tokens=0, cache_read_input_tokens=0, input_tokens=596, output_tokens=50, server_tool_use=None, service_tier='standard')) Extracts from MCP client logs (3) Final POST to LLM Response doesn’t contain ToolUseBlock
- 14. ©Hitachi, Ltd. 2025. All rights reserved 14 Trademarks Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers KubeCon + CloudNativeCon Japan 2025 • CNCF is a trademark or registered trademark of The Linux Foundation in the United States and other countries. • The Linux Foundation is a trademark or registered trademark of The Linux Foundation in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
- 15. 15 ©Hitachi, Ltd. 2025. All rights reserved Thank you KubeCon + CloudNativeCon Japan 2025 @Hilton Tokyo Odaiba, Tokyo, Japan Tatsuya Kurosaka Hitachi, Ltd. Securing Model Context Protocol with Keycloak: AuthN/AuthZ for MCP Servers Date June 16, 2025
Editor's Notes
- #1: Hello, everyone. I'm Tatsuya kurosaka from Hitachi. Thank you for joining us today. This demonstration session's topic is Securing Model Context Protocol with Keycloak: Authentication and Authorization for MCP Servers. Let’s get started.
- #2: These are contents. First, I'll talk about what is Model Context Protocol. Next, what is about Authentication and Authorization in MCP. And at last, I'll show you the demonstration video.
- #3: So, first is about Model Context Protocol.
- #4: These days, AI agent can perform a variety of tasks like getting data from some database, or accessing their Filesystem, or using external API. But AI agents had to use different ways to access different kind of resources and tools, like SQL for Database, CLI for Filesystem, REST for API. This is so inconvenient for AI agents.
- #5: That's why MCP appeared. That's stands for Model Context Protocol. These servers are called “MCP server”. And each MCP server communicates with each resource or tool, and AI agent who is gonna be a MCP Client communicates with each MCP server with common protocol "MCP". So, AI agents only have to use one common protocol. It means MCP makes AI Agents easy to connect different kind of resources and tools with standardized protocol. This is about Model Context Protocol.
- #6: Next, what is about Authentication and Authorization in MCP
- #7: This is an outline of Authorization Code grant with Third-Party Authorization Server. And this flow is based on MCP's authorization specification, the latest version’s link is here, and the specification requires OAuth 2.1. So, Let's check the diagram. First, the User queries something like "What is the balance in my bank account?“ to AI Agent. Then AI Agent tries to request running MCP server’s tool "get_balance" which can get balance from user’s private bank. But he can not use this tool because he is not authorized by Authorization Server. So, for an AI agent to be authorized, first, the authorization Server needs to authenticate the user and also get a consent for what the MCP server will do. In this case, the user has to consent that the MCP server accessing their private resource that is “User’s bank” in this case. Then, authentication and consent is complete, the AI Agent is authorized and obtain Access Token. Finally, he can request running the MCP server’s tool with the Access Token. This is about Authentication and Authorization in MCP with third-party Authorization Server.
- #8: Next, I’ll explain about demonstration.
- #9: This is the overview of demonstration. We use Keycloak as Auth server. The MCP server provides the simple calculation tools, add and multiply. But this add tool intentionally returns wrong number, 1 larger number. Because LLM can perform simple task like adding number like this without any tools, so this modification tells us whether the AI agent has used this tool or not. Now Let's look at the flow. First, the user queries the addition. The AI agent fetches tool information from connected MCP servers. And asks LLM how to use the tools. Then AI agent requests running MCP server’s tool but if he is not authorized, user authentication and consent are required. After authentication and consent are completed, AI agent can request running MCP server’s tool. And then AI Agent asks LLM to generate final answer with tool results. Then responses the answer. This is the overview of the demonstrations.
- #10: This is details of Authentication and Authorization flow from 4.1 to 4.3 on the previous page. This flow is based on OAuth 2.1 flow for the authorization code grant. And I will explain this flow by watching a demonstration video later. So, let’s check the demonstration video.
- #11: So, let's check the extracts from MCP client logs. This is an initial POST to LLM. Which is here. And the response contains how to use tool.
- #12: Next, this is a access token provided by keycloak. Access token is here. We can see scopes include “add” this means this access token is provided for using add tool. Next, this is token introspection result. Token introspection is here. We can see the token introspection succeeded.
- #13: This is the final POST to LLM which is here. And we can see the final response doesn't contain ToolUseBlock. Just contains only TextBlock. That contains part of final answer texts. So, we have checked some evidence for the authentication and authorization flow is completed. OK, that is all of my content.