Enhance MCP Authentication: Investigate Native ASP.NET Core Authorization and Entra ID Support

[davebirr]

🎯 Overview

Investigate and implement enhanced authentication and authorization for the FabrikamMcp server, leveraging new ModelContextProtocol 0.4.0-preview.1 features and native Entra ID integration.

🔍 Background

PR #733 in the MCP C# SDK introduced native ASP.NET Core authorization support with [Authorize] attributes. This provides an opportunity to enhance our current custom authorization system while also implementing native Entra ID support.

Current State:

• ✅ Custom [McpAuthorize] attributes with role-based access control
• ✅ AuthenticatedMcpToolBase for manual authorization validation
• ✅ JWT Bearer token authentication
• ✅ Session management for HTTP transport

🚀 Proposed Enhancements

1. Native MCP Authorization (PR #733 Features)

• Goal: Leverage built-in ASP.NET Core [Authorize] attribute support
• Benefits:
  • Standard ASP.NET Core patterns
  • Automatic tool filtering in list operations
  • Framework-level security integration
  • Reduced custom code complexity

2. Native Entra External ID Support

• Goal: Implement Microsoft Entra ID authentication
• Benefits:
  • Enterprise-grade authentication
  • Single sign-on capabilities
  • Better integration with Microsoft ecosystem
  • OAuth 2.0/OpenID Connect compliance

3. Hybrid Authentication Strategy

• Goal: Support multiple authentication modes simultaneously
• Options:
  • Entra ID (preferred for enterprise)
  • JWT Bearer tokens (existing compatibility)
  • Disabled mode (development)

🔧 Technical Investigation Areas

Native Authorization Migration

// CURRENT (Custom)
[McpServerTool, Description("Get sales analytics")]
[McpAuthorize(McpRoles.Admin, McpRoles.Sales)]
public async Task<object> GetSalesAnalytics(string? userGuid = null)

// PROPOSED (Native MCP + ASP.NET Core)
[McpServerTool, Description("Get sales analytics")]
[Authorize(Roles = "Admin,Sales")] // Native ASP.NET Core attribute
public async Task<object> GetSalesAnalytics(string? userGuid = null)

Entra ID Integration

• OpenID Connect configuration
• Token validation with Microsoft identity platform
• Role/claim mapping from Entra ID to MCP roles
• Multi-tenant support considerations

Backward Compatibility

• Gradual migration strategy (new tools use native, existing tools unchanged)
• Configuration-driven authentication mode selection
• Testing strategy for multiple auth modes

📋 Implementation Tasks

Phase 1: Investigation & Design

• Test native [Authorize] attribute support in MCP 0.4.0-preview.1
• Research Entra External ID configuration patterns
• Design hybrid authentication architecture
• Create proof-of-concept in feature branch

Phase 2: Native Authorization

• Implement native authorization filters
• Migrate select tools to [Authorize] attributes
• Validate tool listing behavior with authorization
• Update testing infrastructure

Phase 3: Entra ID Integration

• Configure OpenID Connect with Entra ID
• Implement token validation and claim mapping
• Add Entra-specific authentication service
• Create Entra ID configuration documentation

Phase 4: Testing & Documentation

• Comprehensive testing across all auth modes
• Update deployment templates for Entra ID
• Document configuration options
• Create migration guide from current system

🎯 Success Criteria

• Native ASP.NET Core authorization working with MCP tools
• Entra ID authentication functional in development and Azure
• Backward compatibility maintained with existing JWT system
• Tool listing properly filters unauthorized tools
• Comprehensive test coverage for all authentication modes
• Clear documentation for configuration and migration

📚 References

• MCP SDK PR #733 - Native Authorization Support
• Microsoft Entra External ID Documentation
• ASP.NET Core Authorization Documentation

⚠️ Risk Considerations

• Breaking Changes: Migration from custom to native authorization
• Complexity: Multiple authentication modes increase configuration complexity
• Testing: Comprehensive validation across authentication scenarios
• Deployment: Azure configuration changes for Entra ID

🔄 Implementation Strategy

Recommended Approach: Create feature branch for non-destructive exploration

• Implement alongside existing system
• Gradual migration rather than wholesale replacement
• Thorough testing before production deployment

---

Priority: Medium (Enhancement)
Complexity: High
Timeline: 2-3 sprints for full implementation