BA
Better Auth2mo ago
k0t0r

How to scope MCP access tokens to a specific organization?

Hello! I am using both the Organization and the MCP plugins. I would like my MCP access tokens to be scoped to a specific organization and not give access to all organizations of a user. The flow I was envisioning is to have the user login if not already the case, then go to org selection page before the authorization was done, but couldn't find how to achieve this. I tried to get is done through the consent page (have the consent page be an auth selection page, and manually set an organizationId in oauthAccessTokens before accepting consent, but this feels like a hack and I couldn't get this to work either (the consent page is never displayed) Here is my config: 
...
  plugins: [
    mcp({
      loginPage: '/login',
      oidcConfig: {
        loginPage: '/login',
        consentPage: '/mcp/consent',
        trustedClients: [],
        requirePKCE: true,
        scopes: ['openid'],
      },
    }),
...
...
  plugins: [
    mcp({
      loginPage: '/login',
      oidcConfig: {
        loginPage: '/login',
        consentPage: '/mcp/consent',
        trustedClients: [],
        requirePKCE: true,
        scopes: ['openid'],
      },
    }),
...
It looks like the protocol specs tends to handle multi-tenancy at the discovery level if I understand correctly https://modelcontextprotocol.io/specification/draft/basic/authorization#server-metadata-discovery Thank you!
Model Context Protocol
Authorization - Model Context Protocol
From An unknown user
From An unknown user
0 Replies
No replies yetBe the first to reply to this messageJoin

Did you find this page helpful?