MCP · Series · 04 of 6
MCP Auth, Done Right
Phase 5TypeDeep DiveLanguagePythonPrereqRBAC in MCP
The flagship post: full OAuth 2.1 the way the MCP authorization spec intends it — Keycloak as the IdP, Protected Resource Metadata discovery, scopes and resource indicators, Dynamic Client Registration, and a clear-eyed take on the confused deputy problem and why token passthrough is forbidden.
Follow along in the companion repo, where the phased plan and locked decisions live in CLAUDE.md. This page updates the moment the phase is done.
series progress0%