rmcp-server-kit 1.3.2

Reusable MCP server framework with auth, RBAC, and Streamable HTTP transport (built on the rmcp SDK)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

//! OAuth 2.1 resource-server example.
//!
//! Validates incoming `Authorization: Bearer <jwt>` tokens against a remote
//! JWKS endpoint and maps OAuth scopes onto rmcp-server-kit RBAC roles. Requires the
//! `oauth` Cargo feature.
//!
//! Run with:
//!
//! ```bash
//! cargo run --example oauth_server --features oauth
//! ```
//!
//! Then call the server with a JWT issued by your identity provider:
//!
//! ```bash
//! curl -H "Authorization: Bearer $JWT" http://127.0.0.1:8080/mcp
//! ```
//!
//! Replace the placeholder issuer / audience / JWKS URL below with values
//! from your identity provider (Auth0, Okta, Keycloak, Entra ID, …).

use std::sync::Arc;

use rmcp::{
    handler::server::ServerHandler,
    model::{ServerCapabilities, ServerInfo},
};
use rmcp_server_kit::{
    auth::AuthConfig,
    oauth::OAuthConfig,
    rbac::{RbacConfig, RbacPolicy, RoleConfig},
    transport::{McpServerConfig, serve},
};

#[derive(Clone)]
struct OAuthHandler;

impl ServerHandler for OAuthHandler {
    fn get_info(&self) -> ServerInfo {
        ServerInfo::new(ServerCapabilities::builder().enable_tools().build())
    }
}

#[tokio::main(flavor = "multi_thread", worker_threads = 2)]
async fn main() -> rmcp_server_kit::Result<()> {
    let _ = rmcp_server_kit::observability::init_tracing("info,rmcp_server_kit=debug");

    // 1. Build the OAuth resource-server config. The audience must match the
    //    `aud` claim your IdP issues for this MCP server.
    let oauth = OAuthConfig::builder(
        "https://auth.example.com/",
        "rmcp-server-kit-oauth-example",
        "https://auth.example.com/.well-known/jwks.json",
    )
    .scope("mcp:admin", "admin")
    .scope("mcp:read", "viewer")
    .build();

    // 2. Plug OAuth into AuthConfig. No API keys needed when using OAuth.
    let mut auth = AuthConfig::with_keys(vec![]);
    auth.oauth = Some(oauth);

    // 3. RBAC policy: roles must match what `.scope(_, role)` mapped above.
    let rbac = Arc::new(RbacPolicy::new(&RbacConfig::with_roles(vec![
        RoleConfig::new("admin", vec!["*".into()], vec!["*".into()]),
        RoleConfig::new("viewer", vec!["resource_list".into()], vec!["*".into()]),
    ])));

    let config = McpServerConfig::new(
        "127.0.0.1:8080",
        "rmcp-server-kit-oauth-example",
        env!("CARGO_PKG_VERSION"),
    )
    .with_auth(auth)
    .with_rbac(rbac)
    .with_public_url("http://127.0.0.1:8080");

    serve(config.validate()?, || OAuthHandler).await
}