Add a blog post about secure MCP SSE server

[sberyozkin]

No description provided.

[github-actions]

🎊 PR Preview 2b23014 has been successfully built and deployed to https://quarkus-site-pr-2284-preview.surge.sh

• Images of blog posts older than 3 months are not available.
• Newsletters older than 3 months are not available.

[cescoffier]

It's a great post. I thing we can clarify a few things:

1. Explains where the authentication happens in the MCP protocol (in which message the header must be set), even diving a bit in the MCP protocol a bit
2. I would actually start with curl and then having a dev ui demo (maybe even a quick video)

[sberyozkin]

@maxandersen @cescoffier Thanks very much for the thoughtful review, I know I was not quite getting along, but as always, on reflection, I know the updated PR should be better.

One thing I found difficult to update was to move curl as the first example. MCP Dev UI is good as the first one because both MCP and OIDC cards are aligned and I describe how to get OIDC token, and use Dev UI, and then in the follow up section I just refer to the Dev UI section for users to see how to get the token. Starting from curl or the inspector requires to repeat the same info re the OIDC token acqusitiuon.

I honestly don't mind if it goes first, but not sure how to make it work neatly if curl goes first, Clement, if you'd like please give it a try.

Please follow up tomorrow morning with suggestions, especially with respect to some further technical clarifications and we should be ready to merge soon.

Cheers

[sberyozkin]

I've resolved all the comments though I may not have addressed them as you were expecting - please create new suggestions

[sberyozkin]

May be I can have a dedicated section for getting the token and then refer to it from all other sections, that might work, will try tomorrow

[cescoffier]

Way better! I made a few comments and suggestions.

The main thing I think would be to use prod mode for the inspector and curl demo. Do you think it's possible?

[sberyozkin]

@cescoffier Thanks, sure, I'll have a look at having it run with jbang, I'll apply all the suggestions except those related to the versions and then let's try to do one more review round

[sberyozkin]

Hi @cescoffier, actually, unfortunately, supporting the prod mode will make it more complex.

We'd still not be able to plug it in into Claude right now, until it starts supporting the MCP server user login, so that would leave the only other option, which I actually used to have but dropped:

• We'd require users to register a GitHub application which may be a bit of a problem for some users
• We'd have to provide a JAX-RS callback endpoint, once GitHub authentication is done, which would return GitHub token for the user to copy it and pass into MCP inspector - but it does not look great IMHO - users won't do it in prod

I suggest we just keep it in Dev Mode for this one, this is 100% not the last article about MCP security, and we'll do something interesting for prod once Claude and other MCP clients actually start supporting logging in users

[cescoffier]

I've another long train journey tomorrow. I will do another review tomorrow.

[maxandersen]

a few minor nitpicks for clarity but otherwise really good stuff!

[sberyozkin]

Thanks @maxandersen, I've applied your suggestions with minor tweaks, please add more suggestions if you'd like.

Clement would also like to have another look tomorrow, so I guess I'll update the publish date to Monday Apr 28th