Authn, authz, HTTPS, Rate limiting, other http access controls to HTTP/SSE server

[tjhop]

Currently, the MCP server supports using a prometheus HTTP config file to configure access for the MCP server to connect with the backend prometheus api. However, there are no options to configure security access to the MCP server itself. This is especially important when running in SSE/HTTP transport modes, as it can mean the MCP server is running in a shared/multi-tenant environment, with concurrent users. In such deployments, it's important to ensure secure/controlled access to between the users and the MCP server as well.

Security considerations include but are not limited to:

• authentication and authorization
• configurable TLS for HTTPS
• rate limiting, in at least some form to prevent things like DoS attacks, etc
• support basic authentication

Options:

1. Directly implement support the MCP server to support these options
2. Leave security for user <> MCP server up to the user, potentially provide docs for common reverse proxies like nginx/caddy/traefik/etc
3. Explore using an mcp specific proxy, such as mcp-proxy and see what security options exist there

[jpinsonneau]

I have implemented a simple code to forward the authorization header to prometheus endpoint and validate the token from there: #44. That's useful especially if you rely on https://github.com/observatorium/api in openshift environment.

That's a start but doesn't cover all cases. We should consider following what's been done in kubernetes-mcp-server here allowing oauth to be configured:

• https://github.com/containers/kubernetes-mcp-server/blob/v0.0.53/pkg/config/config.go#L33-L63
• https://github.com/containers/kubernetes-mcp-server/blob/v0.0.53/pkg/http/authorization.go#L159-L172

If we want to delegate some work to the users, there are existing solutions we can document like https://github.com/kagenti/mcp-gateway that handle oauth and allow you to filter tools exposed to the users.