Add a blog post about secure MCP SSE server

[sberyozkin]

No description provided.

[github-actions]

🙈 The PR is closed and the preview is expired.

[cescoffier]

It's a great post. I thing we can clarify a few things:

1. Explains where the authentication happens in the MCP protocol (in which message the header must be set), even diving a bit in the MCP protocol a bit
2. I would actually start with curl and then having a dev ui demo (maybe even a quick video)

[sberyozkin]

@maxandersen @cescoffier Thanks very much for the thoughtful review, I know I was not quite getting along, but as always, on reflection, I know the updated PR should be better.

One thing I found difficult to update was to move curl as the first example. MCP Dev UI is good as the first one because both MCP and OIDC cards are aligned and I describe how to get OIDC token, and use Dev UI, and then in the follow up section I just refer to the Dev UI section for users to see how to get the token. Starting from curl or the inspector requires to repeat the same info re the OIDC token acqusitiuon.

I honestly don't mind if it goes first, but not sure how to make it work neatly if curl goes first, Clement, if you'd like please give it a try.

Please follow up tomorrow morning with suggestions, especially with respect to some further technical clarifications and we should be ready to merge soon.

Cheers

[sberyozkin]

I've resolved all the comments though I may not have addressed them as you were expecting - please create new suggestions

[sberyozkin]

May be I can have a dedicated section for getting the token and then refer to it from all other sections, that might work, will try tomorrow

[cescoffier]

Way better! I made a few comments and suggestions.

The main thing I think would be to use prod mode for the inspector and curl demo. Do you think it's possible?

[sberyozkin]

@cescoffier Thanks, sure, I'll have a look at having it run with jbang, I'll apply all the suggestions except those related to the versions and then let's try to do one more review round

[sberyozkin]

Hi @cescoffier, actually, unfortunately, supporting the prod mode will make it more complex.

We'd still not be able to plug it in into Claude right now, until it starts supporting the MCP server user login, so that would leave the only other option, which I actually used to have but dropped:

• We'd require users to register a GitHub application which may be a bit of a problem for some users
• We'd have to provide a JAX-RS callback endpoint, once GitHub authentication is done, which would return GitHub token for the user to copy it and pass into MCP inspector - but it does not look great IMHO - users won't do it in prod

I suggest we just keep it in Dev Mode for this one, this is 100% not the last article about MCP security, and we'll do something interesting for prod once Claude and other MCP clients actually start supporting logging in users

[cescoffier]

I've another long train journey tomorrow. I will do another review tomorrow.

[maxandersen]

a few minor nitpicks for clarity but otherwise really good stuff!

[sberyozkin]

Thanks @maxandersen, I've applied your suggestions with minor tweaks, please add more suggestions if you'd like.

Clement would also like to have another look tomorrow, so I guess I'll update the publish date to Monday Apr 28th

[cescoffier]

Wow! Sergei, this is great, it's going to be awesome!
I've made a few suggestions. There is a flaw in the flow when we configure the MCP server with GitHub.

[sberyozkin]

@cescoffier Thanks Clement for a very thorough review, very appreciated.

There have been quite a few comments, I hope I've addressed all of them, either applying the suggestions directly or trying to react to some suggestion with an update, where I felt the direct suggestion application may not work best.

I'm going to check for various typos, the only 2 main things that I believe are open are:

• Short video, as I commented, I propose to do it in a more dedicated session about MCP security
• In the curl section, adding a nice little picture to help users visualize SSE flow would be great, but that suggestion was added 3 days ago and I missed it, and I reworked the curl section since then. So if you would like please propose the one tomorrow on Monday, or we can just keep it as is.

Have another quick look tomorrow, I think the PR is very close to being merged now, cheers

[sberyozkin]

I published it locally and did a few minor follow up updates like restoring a line break between Firstly and Secondly in the intro as it looks like one a big sentence otherwise, IMHO it is nice to distinguish between prod and dev modes with a line break. Fixed a few broken links, overall is not too bad.
It is still only our first intro into this topic :-), we can add many more details and content later as well :-)

[cescoffier]

How to start the server in prod mode needs to be reworked a bit.
The rest is just a few typos.

[cescoffier]

Claude only supports stdio transport (for now).
So, switch to what Quarkus recommends, not planning on something we don't know.

[sberyozkin]

@cescoffier

So, switch to what Quarkus recommends, not planning on something we don't know.

The fact that Claude does not support SSE is not really important, it is just that this demo would be ready to be plugged in We just show how to start with jbang - we don't recommend using uber jar - I added a note to tell users that the only reason we do it is to support a jbang start up

[sberyozkin]

Anyway, I'll just update as you proposed, but add a note about jbang instead

[maxandersen]

@cescoffier

So, switch to what Quarkus recommends, not planning on something we don't know.

The fact that Claude does not support SSE is not really important, it is just that this demo would be ready to be plugged in We just show how to start with jbang - we don't recommend using uber jar - I added a note to tell users that the only reason we do it is to support a jbang start up

the uber jar is not required for jbang. jbang supports non-uber-jar. its java that is the limit here. uber-jar is just so its easier to distributed and faster to start

[cescoffier]

Faster to start? I really doubt.
Easier to start, maybe.

[sberyozkin]

Thanks @maxandersen, @cescoffier, it should be ready to go now ?

Thanks for the review, planning to go ahead with the merge in about an hour