CLI tools for MCP (Model Context Protocol) server setup and management with OIDC support (Auth0, Dex, Keycloak)
Project description
MCP Base
CLI tools for MCP (Model Context Protocol) server setup and management. These tools help you configure OIDC authentication, create Kubernetes secrets, set up RBAC, and manage MCP server deployments.
Installation
From PyPI
# Install base package (OIDC tools only)
pip install mcp-base
# Install with Kubernetes support
pip install mcp-base[kubernetes]
# Install all optional dependencies
pip install mcp-base[all]
From Source
git clone https://github.com/your-org/mcp-base.git
cd mcp-base
pip install -e ".[all]"
Usage
After installation, the mcp-base command is available with the following subcommands:
mcp-base <command> [options]
| Command | Description |
|---|---|
setup-oidc |
Set up OIDC provider (Auth0, Dex, Keycloak, etc.) for MCP authentication |
create-secrets |
Create Kubernetes secrets for MCP deployment |
setup-rbac |
Set up Kubernetes RBAC resources |
add-user |
Add users to allowed clients |
Setting Up OIDC
Configure your OIDC provider for MCP authentication.
Supported providers: auth0, dex, keycloak, okta, generic
To see all provider options and examples:
mcp-base setup-oidc --help
To get help for a specific provider:
mcp-base setup-oidc --provider dex --help
1. Auth0 (Automated Setup)
The CLI automatically configures your Auth0 tenant:
# Set up Auth0 (first run)
mcp-base setup-oidc --provider auth0 \
--domain your-tenant.auth0.com \
--api-identifier https://mcp-server.example.com/mcp \
--token YOUR_MGMT_TOKEN
# Subsequent runs (uses saved configuration)
mcp-base setup-oidc --provider auth0
# Force recreate clients (if secrets are lost)
mcp-base setup-oidc --provider auth0 --recreate-client
2. Dex, Keycloak, Okta, or Generic OIDC (Pre-configured)
For providers where you already have client credentials configured:
# Interactive mode (prompts for values)
mcp-base setup-oidc --provider dex
# Non-interactive mode
mcp-base setup-oidc --provider dex \
--issuer https://dex.example.com \
--audience https://mcp-server.example.com/mcp \
--client-id YOUR_CLIENT_ID \
--client-secret YOUR_CLIENT_SECRET
# Keycloak
mcp-base setup-oidc --provider keycloak \
--issuer https://keycloak.example.com/realms/myrealm \
--audience https://mcp-server.example.com/mcp \
--client-id YOUR_CLIENT_ID \
--client-secret YOUR_CLIENT_SECRET
# Okta
mcp-base setup-oidc --provider okta \
--issuer https://your-org.okta.com \
--audience https://mcp-server.example.com/mcp \
--client-id YOUR_CLIENT_ID \
--client-secret YOUR_CLIENT_SECRET
# Any generic OIDC provider
mcp-base setup-oidc --provider generic \
--issuer https://your-idp.com \
--audience https://mcp-server.example.com/mcp \
--client-id YOUR_CLIENT_ID \
--client-secret YOUR_CLIENT_SECRET
Required Redirect URLs
Configure these redirect URLs in your OIDC provider:
- MCP Server:
https://mcp-server.example.com/auth/callback(replace with your actual server URL) - Claude Desktop:
https://claude.ai/api/mcp/auth_callback - Local testing (optional):
http://localhost:8888/callback,http://localhost:8889/callback
Endpoint resolution
When setup-oidc validates the issuer (the default), the authorization_endpoint, token_endpoint, and jwks_uri are read from the provider's .well-known/openid-configuration and saved verbatim to oidc-config.json. Pass --skip-validation to bypass the HTTP probe; in that case the endpoints are derived from provider-specific fallbacks:
| Provider | Auth | Token | JWKS |
|---|---|---|---|
keycloak |
{issuer}/protocol/openid-connect/auth |
{issuer}/protocol/openid-connect/token |
{issuer}/protocol/openid-connect/certs |
okta |
{issuer}/v1/authorize |
{issuer}/v1/token |
{issuer}/v1/keys |
dex, generic |
{issuer}/auth |
{issuer}/token |
{issuer}/.well-known/jwks.json |
Creating Kubernetes Secrets
Create secrets required for MCP server deployment:
# Create secrets in a namespace
mcp-base create-secrets --namespace default --release-name my-mcp-server
# Dry run to see what would be created
mcp-base create-secrets --namespace default --release-name my-mcp-server --dry-run
# Replace existing secrets
mcp-base create-secrets --namespace default --release-name my-mcp-server --force
Setting Up RBAC
Configure Kubernetes RBAC for MCP server:
# Cluster-wide permissions
mcp-base setup-rbac --namespace production --app-name my-mcp-server
# Namespace-scoped permissions
mcp-base setup-rbac --namespace production --app-name my-mcp-server --scope namespace
# Dry run
mcp-base setup-rbac --app-name my-mcp-server --dry-run
# Delete RBAC resources
mcp-base setup-rbac --app-name my-mcp-server --delete
Adding Users to Allowed Clients
Add users to the allowedClients array in your OIDC provider:
# Interactive mode
mcp-base add-user
# Non-interactive
mcp-base add-user --email user@example.com --client-type both
Dependencies
Required
requests>=2.28.0- HTTP client for Auth0 API
Optional (Kubernetes support)
kubernetes>=28.0.0- Kubernetes Python clientcryptography>=41.0.0- For generating encryption keys
Install with: pip install mcp-base[kubernetes]
Development
Setup
# Clone the repository
git clone https://github.com/your-org/mcp-base.git
cd mcp-base
# Install in development mode with all dependencies
pip install -e ".[dev]"
Running Tests
pytest
Code Quality
# Format code
black src/
# Lint
ruff check src/
# Type checking
mypy src/
Publishing to PyPI
Prerequisites
- Create an account on PyPI and Test PyPI
- Install build tools:
pip install build twine
- Create API tokens and save them locally (git-ignored):
echo "pypi-YOUR_TEST_TOKEN" > test.token && chmod 600 test.token echo "pypi-YOUR_PROD_TOKEN" > prod.token && chmod 600 prod.token
Makefile (preferred)
make build # Clean + build only; artifacts in dist/
make test # Run pytest
make dev # Publish to Test PyPI using ./test.token
make prod # Publish to production PyPI using ./prod.token (prompts "yes" to confirm)
make clean # Remove dist/, build/, *.egg-info
make dev / make prod refuse to run if the expected token file is missing or empty.
Build the Package Manually
# Clean previous builds
rm -rf dist/ build/ *.egg-info src/*.egg-info
# Build source distribution and wheel
python -m build
This creates:
dist/mcp_base-0.1.0.tar.gz(source distribution)dist/mcp_base-0.1.0-py3-none-any.whl(wheel)
Test on Test PyPI (Recommended)
# Upload to Test PyPI
python -m twine upload --repository testpypi dist/*
# Or with a token file
python -m twine upload --repository testpypi dist/* -u __token__ -p "$(cat ~/.testpypi-token)"
# Test installation from Test PyPI
pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ mcp-base
Publish to PyPI
# Upload to PyPI
python -m twine upload dist/*
Using API Tokens (Recommended)
Instead of username/password, use API tokens:
- Go to PyPI > Account Settings > API tokens
- Create a token with scope "Entire account" or project-specific
- Use the token directly:
python -m twine upload dist/* -u __token__ -p pypi-YOUR_TOKEN_HERE
Using a Token File
For better security, store your token in a file and read it during upload:
# Store token in a file (do this once)
echo "pypi-YOUR_TOKEN_HERE" > ~/.pypi-token
chmod 600 ~/.pypi-token
# Upload using the token file
python -m twine upload dist/* -u __token__ -p "$(cat ~/.pypi-token)"
# Or using environment variables
TWINE_PASSWORD=$(cat ~/.pypi-token) python -m twine upload dist/*
Using .pypirc Configuration File
Or create ~/.pypirc:
[pypi]
username = __token__
password = pypi-YOUR_TOKEN_HERE
[testpypi]
username = __token__
password = pypi-YOUR_TEST_TOKEN_HERE
Automated Publishing with GitHub Actions
Create .github/workflows/publish.yml:
name: Publish to PyPI
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install build dependencies
run: pip install build twine
- name: Build package
run: python -m build
- name: Publish to PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
run: python -m twine upload dist/*
Add your PyPI API token as a repository secret named PYPI_API_TOKEN.
License
MIT License - see LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_base-0.4.0.tar.gz.
File metadata
- Download URL: mcp_base-0.4.0.tar.gz
- Upload date:
- Size: 41.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
118659c0c991cf71ea2d745d4f064ad279e24c805f33123b2c7efaea0141cdc1
|
|
| MD5 |
9a586d5e4581a3d5c891e0d1c0d30e58
|
|
| BLAKE2b-256 |
58e82ef9ee2d8c0f5b00c3301b5b3e28b4733675a755027e9dafb9e4cab76c8e
|
File details
Details for the file mcp_base-0.4.0-py3-none-any.whl.
File metadata
- Download URL: mcp_base-0.4.0-py3-none-any.whl
- Upload date:
- Size: 43.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ae9daaf55bb7ed63ae15ae9a19fd420edaf1658e6739a079dc3372e519c19d22
|
|
| MD5 |
881e27ea3684e89f72c637cde01aae7e
|
|
| BLAKE2b-256 |
37e806d009d03fcb1286ca514dc16da14030c50e6cbc29be25017922fe44e476
|
