MCP Bridge

  • 5 minute(s) read
Prev Next

Overview

The MCP Provider app pattern enables AI agents to discover and invoke APIs through the Model Context Protocol while Maverics enforces:

  • Capability-based access control using OPA policies

  • OAuth 2.0 token exchange for audience transformation

  • Session management and connection lifecycle

  • Comprehensive logging of agent actions

This allows AI language models need to invoke enterprise APIs on behalf of users while maintaining security boundaries and audit trails.

This guide provides an overview of the following topics:

  1. Define the services in your identity fabric

  2. Configure the upstream application

  3. Define the user flow for your upstream app

  4. Deploying the application

Key Components

This pattern uses three Maverics components:

  • MCP Provider - Protocol server handling MCP transport and OAuth authorization

  • MCP Bridge Apps - Convert OpenAPI specifications into MCP tools with policy enforcement

  • OIDC Provider - Token exchange

This pattern implements the Model Context Protocol specification.

Flowchart illustrating session establishment and tool invocation processes in MCP Provider system architecture.

Click to enlarge

Prerequisites

Define services to include in your Identity Fabric

You can choose identity or attribute providers to include in your Identity Fabric. Leveraging services from cloud based IDPs such as Microsoft Entra ID, Okta, Auth0, and Ping, open source providers such as Keycloak or WS02, and on prem services like LDAP,  ensures that your application has what it needs for a secure authentication and authorization user flow. For providers not on the list, Maverics supports generic SAML and OIDC connections.

From your IDP, you will need to register a new application. From Maverics, you will create a new identity fabric configuration. You can then use it in a user flow for authentication.

The following steps use the Strata provided Keycloak IDP:

  1. Go to Identity Fabric

  2. On the right, scroll and select Keycloak (OIDC)

  1. For the OIDC configuration, enter the following:

Deploy an MCP provider

From the Deployments Manager go the Orchestrator Settings section to define the settings for your MCP provider.

MCP Provider Options

Field

Description

Enabled

The Enabled toggle turns on integration with MCP servers, allowing dynamic authentication, model selection, and endpoint management for AI agents and external services.

Transports (HTTP Stream) - Stream Endpoint

An HTTP stream transport enables real-time, continuous data flow between the MCP Bridge and AI agents through persistent HTTP connection, allowing bidirectional communication and immediate transmission of events and responses. In the Stream Endpoint field, specify the URL path where clients will connect to receive updates.

Session Header Name

The HTTP header name prefix used to identify an HTTP Stream session.

Session Timeout

The maximum period of inactivity before a session is automatically closed. This helps prevent idle or orphaned connections from consuming resources.

Allow Client Termination

When the toggle is enabled, this allows clients to close their own stream sessions when disconnecting or shutting down. If the toggle is enabled, only the server can end the session.

OAuth 2.0 Discovery - Discovery Endpoint

The endpoint where the MCP provider exposes its own OAuth-protected resource metadata for discovery.  

Authorization Server - Well-Known Endpoint

The OpenID Connect well-known endpoint of the authorization server used to validate tokens.

Refresh Interval

How often the MCP Provider refreshes metadata from the authorization server (for example: JWKS keys, issuer info).

JWT Token Validation - Expected Audiences

Defines the list of acceptable audience URLs for access tokens.

Clock Skew Allowance

Time tolerance allowed when validating token expiry or issuance to account for clock differences between systems.

Configure an OIDC provider

A Maverics OIDC provider can be deployed with your MCP provider or as a standalone deployment. This enables the issuance of tightly scoped tokens governed by OPA policies, including support for OAuth 2.0 On-Behalf-Of (OBO) flows. This critical for maintaining identity context when agents delegate tasks to other agents or services. Follow the steps in the OIDC configuration guide to deploy a OIDC provider.

Configure an MCP Bridge application

From the Applications page, create an MCP Bridge App by clicking the Create button and selecting MCP Bridge App from the Create a new Application menu.

Configuration settings for OIDC application including grant types and redirect URLs.

Click to enlarge

Field Name

Description

Example

Name

A friendly name for your OIDC application.

ExampleApp

App Icon

Upload an image for your application to display in Maverics.

Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.

OpenAPI Spec File Path

Specify the OpenAPI definition using YAML, JSON, or the file path in the orchestrator host environment. The file path field supports file:// URIs for local files.

Base URL Override

Optional. Overrides the URL of where the are actually published if they are different than what is defined in the OpenAPI spec.

OPA Policy Definition

The Inbound Request Policy section specifies authorization rules that govern who or what can call the MCP Bridge. You can define Open Policy Agent (OPA) rules to enforce fine-grained access control for incoming requests. For instance, policy authors may want to craft policies that restrict requests to a certain network zone. The OPA Policy Definition is the Open Policy Agent driven authorization policy.
Click Edit to define a OPA policy in the Rego format.
Learn More About OPA Authorization

Outbound Policy Authorization Type

Unprotected (not recommended)

Token Exchange (Default)

OIDC Identity Provider

Specifies the OIDC identity provider used for token exchange.

Audience

The audience (aud) claim requested during token exchange, specifying the intended recipient of the issued token.

Scope Mappings

Defines the relationship between MCP tools and the OAuth scopes required to use them. Each tool exposed by the MCP Bridge can be mapped to one or more scopes that a client must present in its access token. This allows fine-grained authorization to ensure that only clients with the proper permissions can call specific tools.

E.g.:

getTicketsPrice: tickets:read

postTicketsPrice: tickets:write

Deploying the application

Deployments Overview

Deployments in Maverics are how you bundle and publish your orchestration configurations — including applications, user flows, identity services, and policy logic — to your orchestrators for enforcement. Before deploying, review the Deployment Overview to understand how environments, services, and storage work together in Maverics.

Prerequisite: Storage Configuration connected to a Orchestrator service

To successfully deploy and test your application’s user flow, you must first configure a storage storage provider and connect it to installed orchestrator services.

Recommended: Use Maverics Storage for the fastest and simplest evaluation experience.

Other storage options (for example, AWS S3, Google Cloud Storage, Github repo, and Microsoft Azure Blob storage) are supported. See the full Storage Configuration Guides for setup instructions.

Add your application to a deployment

Once your storage is configured, you can deploy your application using the Deployment Manager:

  1. Navigate to Deployments in the Maverics UI.

  2. Create a new deployment or select an existing one.

  3. Add your application(s) to the deployment:

  4. Click Publish Preview to review and validate the deployment configuration.

  5. After confirming the preview looks correct, click Publish to push the configuration to your orchestrators.

Related articles
  • OIDC
    Identity Orchestration > Application patterns > OIDC
  • Proxy
    Identity Orchestration > Application patterns > Proxy
  • Deployments Overview
    Deployments