diff --git a/src/content/docs/agents/model-context-protocol/authorization.mdx b/src/content/docs/agents/model-context-protocol/authorization.mdx index 1392cd370296164..fef350175217390 100644 --- a/src/content/docs/agents/model-context-protocol/authorization.mdx +++ b/src/content/docs/agents/model-context-protocol/authorization.mdx @@ -75,7 +75,13 @@ sequenceDiagram Remember — [authentication is different from authorization](https://www.cloudflare.com/learning/access-management/authn-vs-authz/). Your MCP Server can handle authorization itself, while still relying on an external authentication service to first authenticate users. The [example](/agents/guides/remote-mcp-server) in getting started provides a mock authentication flow. You will need to implement your own authentication handler — either handling authentication yourself, or using an external authentication services. -### (2) Third-party OAuth Provider +### (2) Cloudflare Access integration + +You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/identity/idp-integration/) or a [one-time PIN](/cloudflare-one/identity/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/policies/access/). + +To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/). + +### (3) Third-party OAuth Provider The [OAuth Provider Library](https://github.com/cloudflare/workers-oauth-provider) can be configured to use a third-party OAuth provider, such as GitHub or Google. You can see a complete example of this in the [GitHub example](/agents/guides/remote-mcp-server/#add-authentication). @@ -122,7 +128,7 @@ sequenceDiagram Read the docs for the [Workers oAuth Provider Library](https://github.com/cloudflare/workers-oauth-provider) for more details. -### (3) Bring your own OAuth Provider +### (4) Bring your own OAuth Provider If your application already implements an OAuth Provider itself, or you use [Stytch](https://stytch.com/), [Auth0](https://auth0.com/), [WorkOS](https://workos.com/), or authorization-as-a-service provider, you can use this in the same way that you would use a third-party OAuth provider, described above in (2). @@ -196,7 +202,7 @@ function requirePermission(permission, handler) { status: 403 }; } - + // If permission check passes, execute the handler return handler(request, context); }; @@ -208,7 +214,7 @@ async init() { this.server.tool("basicTool", "Available to all users", {}, async () => { // Implementation for all users }); - + // Protected tool using the permission wrapper this.server.tool( "adminAction", @@ -221,7 +227,7 @@ async init() { }; }) ); - + // Conditionally register tools based on user permissions if (this.props.permissions?.includes("special_feature")) { this.server.tool("specialTool", "Special feature", {}, async () => { @@ -231,7 +237,7 @@ async init() { } ``` -Benefits: +Benefits: - Authorization check at the tool level ensures proper access control - Allows you to define permission checks once and reuse them across tools - Provides clear feedback to users when permission is denied